Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 80226ceb02cbe565…

MALICIOUS

Office (OLE)

27.0 KB Created: 1997-05-17 16:59:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 1ebe75cff82464ecc957c353ce5d0fa8 SHA-1: 52d35e940c11cf8012d93a92218c9bd1b0d3b7a8 SHA-256: 80226ceb02cbe565ae8775320996b6e388723afdaa90334c19b2e8a2773d1e2f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro virus, specifically the 'TOOLSMACRO' marker and the presence of macro-related keywords like 'AUTOOPEN' and 'ZLOCKMACRO'. The document body also contains references to old printer drivers and file paths, which may be part of the macro's functionality or obfuscation. The primary technique identified is the use of Visual Basic for macro execution.

Heuristics 2

  • ClamAV: Win.Trojan.Ant-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Ant-6
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.