Doc.Trojan.Groovie-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 8bafb462df156af5…

MALICIOUS

Office (OLE)

43.0 KB Created: 1998-07-23 13:30:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a975c5569544130ce2710b5d04814f3d SHA-1: 0b389971d08b84e857b0e1658a321fc9512b64ce SHA-256: 8bafb462df156af512a21945d1bdd5614a8db9dcccf733b3c12b40a0f25a43dd
142 Risk Score

Malware Insights

Doc.Trojan.Groovie-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, specifically identified by ClamAV as Doc.Trojan.Groovie-2. The presence of a NOP sled and legacy macro virus markers strongly suggests the file's intent is to execute malicious code. Although VBA extraction failed, the heuristic firings are sufficient to assess the attack pattern.

Heuristics 4

  • ClamAV: Doc.Trojan.Groovie-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Groovie-2
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'nop' is 96% of instructions — a sled or padding/filler run, not program logic).
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    The Analyzer could not extract VBA macros: the document may be legacy, encrypted or malformed.

Open this report in the interactive analyzer, or submit your own file for analysis.