Win.Trojan.Screw-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 7da275daf33524ad…

MALICIOUS

Office (OLE)

27.5 KB Created: 1997-04-01 17:04:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 88585cc763ef3bab552d8da8b069415c SHA-1: 7102370d7b5f5e6b1334ffd32ca4ee2d92fa2fc5 SHA-256: 7da275daf33524addf7f9559bad4de0424dedbacb29b7f4335af874cf8e85858
100 Risk Score

Malware Insights

Win.Trojan.Screw-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, specifically identified as 'Win.Trojan.Screw-1' by ClamAV. The embedded text suggests an attempt to infect the system by modifying critical files such as 'c:\msdos.sys', 'normal.dot', and system executables like 'win.com4i'. It also targets screen saver files like 'SCRNSAVE.EXE' and '\SSMARQUE.SCR', and configuration files like '\system.ini', indicating a broad infection attempt.

Heuristics 2

  • ClamAV: Win.Trojan.Screw-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Screw-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.