Win.Trojan.Inexist-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 cc0817480433abad…

MALICIOUS

Office (OLE)

14.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: fde9e74f4a8739349463a01f4994c7bd SHA-1: fa1688f3c305fa1e8c763c0ede1ba0eca3e64b0f SHA-256: cc0817480433abad649b22272d326e303cb98eb9a3ce5d76f9ad719c28228e8e
80 Risk Score

Malware Insights

Win.Trojan.Inexist-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The critical ClamAV heuristic identified the file as Win.Trojan.Inexist-1. The presence of a legacy WordBasic AutoOpen macro marker indicates that the document is designed to execute malicious code automatically when opened. The macro code itself appears to be involved in file operations and potentially infection, though it is heavily truncated.

Heuristics 2

  • ClamAV: Win.Trojan.Inexist-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Inexist-1
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.