Win.Trojan.Eraser-5 — Office (OLE) malware analysis

Static analysis result for SHA-256 ae4776bce3877bb3…

MALICIOUS

Office (OLE)

15.5 KB Created: 1997-03-15 22:32:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 8ab327c5a532978db5751a2064c7834b SHA-1: f54710ba1fe714fbcb61c461504f685ec3642eda SHA-256: ae4776bce3877bb3456c280be92a4406e979a5dfe592181beb902ce081cfedb2
140 Risk Score

Malware Insights

Win.Trojan.Eraser-5 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a legacy WordBasic macro-virus by ClamAV, specifically Win.Trojan.Eraser-5. Heuristics indicate the presence of heap-spray patterns and legacy WordBasic macro-virus markers like TOOLSMACRO. These findings strongly suggest the file is designed to execute malicious code through embedded macros.

Heuristics 3

  • ClamAV: Win.Trojan.Eraser-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Eraser-5
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x07 bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'pop' is 87% of instructions — a sled or padding/filler run, not program logic).
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.