Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7401a37551a8482…

MALICIOUS

Office (OLE)

148.5 KB Created: 1999-06-19 04:19:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 85ea5439420e4fcf4baca639fdba1bba SHA-1: fda36226583db0f46f7b69e995ec05ecea981253 SHA-256: d7401a37551a8482f1199bcd5f66f6f3a3e3e487208b436107bdf2c10eb9aef2
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, specifically containing markers like 'ToolsMacro' and 'AutoClose'. The presence of these markers, along with the ClamAV detection of 'Win.Trojan.CVCK1-2', strongly indicates malicious intent. The document body contains numerous strings related to macro functions and file properties, likely part of the obfuscated macro code.

Heuristics 2

  • ClamAV: Win.Trojan.CVCK1-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.CVCK1-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.