Win.Trojan.Psycho-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 b11db625a9c2cef3…

MALICIOUS

Office (OLE)

37.5 KB Created: 1999-09-03 22:21:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 97f6df6157a17acba45e724f7c826a9f SHA-1: cf68ff9ecea4f9ebe2fd09ea2e80d674dd37669c SHA-256: b11db625a9c2cef305dfe0391bf08ea3b41fcc5806a4687af7474e590294827d
102 Risk Score

Malware Insights

Win.Trojan.Psycho-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV as Win.Trojan.Psycho-3. Heuristics indicate the presence of VBA p-code with auto-execution on document open, using CreateObject, which is a common technique for macro-based malware. The document body explicitly describes itself as a virus and mentions plans to add URL autoloading and destructive payloads in future versions, aligning with the characteristics of a macro-based threat.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AssertionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.