Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 77a885bdd67265b1…

MALICIOUS

Office (OLE)

12.5 KB Created: 1997-03-04 19:02:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 724796f791beb426a142f306e11ae20c SHA-1: 690f914e49eaa122ee2a897ca879a1780c96670c SHA-256: 77a885bdd67265b157c1d40b9b8abae8cfddd3329bd913284342acf73e0fe9fc
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically 'TOOLSMACRO', and contains numerous references to 'ERASER' and 'avkiller'. This strongly indicates an intent to perform malicious actions, potentially related to disabling anti-virus software or infecting the system. The presence of these markers and the ClamAV detection as 'Doc.Trojan.Eraser-17' point towards a malicious macro-based document.

Heuristics 2

  • ClamAV: Doc.Trojan.Eraser-17 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Eraser-17
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.