Office (OLE) malware analysis — malicious · c9b1ba30bbb6c996

MALICIOUS

Office (OLE)

15.0 KB Created: 1997-02-10 15:07:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14

MD5: 13a0ee61a39cae3eb57ecca892b253a4 SHA-1: 652744227d7c2f2797999ba1174bd0c1be224539 SHA-256: c9b1ba30bbb6c996a9846b78c8f97d54db7ef589fd09b84d28f7309cb6c8e58d

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing WordBasic macros, specifically triggering the 'AutoOpen' marker. This indicates an attempt to execute malicious code automatically when the document is opened, a common technique for macro-based malware. The presence of 'Win.Trojan.TwoLines-1' detection by ClamAV further confirms its malicious nature, likely related to the historical 'Two Lines' macro virus.

Heuristics 2

ClamAV: Win.Trojan.TwoLines-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.TwoLines-1
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.