Office (OLE) malware analysis — malicious · c60d3451abc44dc1

MALICIOUS

Office (OLE)

10.0 KB Created: 1997-04-10 16:29:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14

MD5: 4ded7f2b0d00a674f450b43c2b5a7546 SHA-1: 84165ef2905023289d5c749c866f5e64cf80d1dd SHA-256: c60d3451abc44dc1394cf23398b03a747c4fba14ce8f59e658e4350c722fba13

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a legacy Word document containing an AutoOpen macro, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. The document body presents itself as FTP login information for Panda Software International, providing credentials and a list of archive files that are described as antivirus software. The SE_PASSWORD_ARCHIVE_LURE heuristic suggests this is a common tactic to disguise malicious payloads as legitimate software within password-protected archives, which are then provided to the user. The ClamAV detection further confirms the malicious nature of the file.

Heuristics 3

ClamAV: Win.Trojan.GreenBay-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.GreenBay-1
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.