Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bd6355a105bf4c93…

MALICIOUS

Office (OLE)

87.0 KB Created: 1997-02-11 06:52:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: af545d5af76a690a40c42d193c234232 SHA-1: dde3a0dafaa166bfbdec2d850d3c6b9a8a3e6d0f SHA-256: bd6355a105bf4c932a17597c3009de30795d691619a91a9c2747889e3c657f5e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically 'TOOLSMACRO', and contains embedded strings like 'AUTOOPEN' and 'AUTOCLOSE' which are indicative of macro execution upon opening. The presence of 'C:\Twnos1-n.dot' suggests a potential dropped file or template, further supporting the macro-based execution.

Heuristics 2

  • ClamAV: Win.Trojan.Box-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Box-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.