Office (OLE) malware analysis — malicious · b562580795ae37a6

MALICIOUS

Office (OLE)

149.0 KB Created: 1999-04-17 11:01:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: e7687d54867cd004e4f333989725f8e8 SHA-1: 1f278540c1a4981f5a2b1e6129da17bd1c3788bc SHA-256: b562580795ae37a6b4bcdd2703007ad1e85e8212f5acb1f7d3ab5c9ff16e0977

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.IIS-4'. A critical heuristic indicates VBA p-code auto-execution with shell execution tokens within the Document_Open macro, suggesting an attempt to run arbitrary code upon opening. Although VBA macros could not be fully extracted due to an unsupported Office format, the heuristic strongly implies malicious intent. The document body appears to be malformed or corrupted, providing no readable content to infer the lure.

Heuristics 3

ClamAV: Doc.Trojan.IIS-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.IIS-4
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (IndexError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.