Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d52d841b1920b1a9…

MALICIOUS

Office (OLE)

23.5 KB Created: 1997-11-20 11:22:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 4566d8e20da2ae05b3e152684065efd1 SHA-1: c8e8e4cde172593d5d3beebef4003176ebb0ea13 SHA-256: d52d841b1920b1a98a7e78d0e7750864e444f2d7535743acee26887a5d249dfb
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, specifically identified by the 'ToolsMacro' marker and ClamAV detection as Win.Trojan.Innocence-2. The presence of macro-related keywords in the document body further supports the likelihood of malicious macro execution. The primary attack vector is likely the execution of these embedded macros, which are designed to perform malicious actions.

Heuristics 2

  • ClamAV: Win.Trojan.Innocence-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Innocence-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.