Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7404b2c26002fe9…

MALICIOUS

Office (OLE)

14.5 KB Created: 1997-06-02 16:49:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: da6fedcaec280126c6f4c52f94422f69 SHA-1: fc58ad16fd65e32e41d2d7c04959a471e0228dda SHA-256: d7404b2c26002fe9face347213c9eb4f2e5db5d1d9c2f862840b5fc765bc14e6
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is detected as Win.Trojan.Italian-12 by ClamAV. Static analysis indicates the presence of legacy WordBasic auto-execution macros, specifically AutoClose and AutoOpen, which are commonly used to initiate malicious actions when a document is opened or closed. The document body contains markers related to these macros and legacy WordPerfect formatting.

Heuristics 2

  • ClamAV: Win.Trojan.Italian-12 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Italian-12
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.