Win.Trojan.Toten-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 946468a04eefec25…

MALICIOUS

Office (OLE)

6.0 KB First seen: 2012-06-14
MD5: 4faec642750e93423bcb30b5f042b839 SHA-1: c5653eadeb042f6815a58a4e697442392b08effd SHA-256: 946468a04eefec25d93bd8ef41f61dbf3fa9f6b0ec2e16a3efbb60f8790c8376
100 Risk Score

Malware Insights

Win.Trojan.Toten-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains legacy WordBasic macro virus markers, specifically 'RSN MACRO VIRUS', and references an 'AutoOpen' macro, indicating an attempt to execute malicious code upon opening. ClamAV identifies the family as Win.Trojan.Toten-2. The document body contains numerous strings related to the macro virus and its creator.

Heuristics 2

  • ClamAV: Win.Trojan.Toten-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Toten-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.