Office (OLE) malware analysis — malicious · d90fbd4183c907f2

MALICIOUS

Office (OLE)

70.0 KB Created: 1996-03-20 10:26:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14

MD5: c2ee73f75b9b1381079720b2bb34e140 SHA-1: 3224daf8b5bf475295eb1e831faa973d9fb5ec30 SHA-256: d90fbd4183c907f29fa1b7c20d8b3706592e3bc2ec12ae72dd8f1e643680459f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.001 PowerShell T1059.003 Windows Command Shell

The sample contains a legacy WordBasic AutoClose macro, indicating it's designed to execute automatically upon closing the document. A critical heuristic flags it as Win.Trojan.Johnny-2. The document body, while appearing as a technical note, contains a high-severity heuristic indicating it's a clipboard command execution lure, instructing the user to paste content into a shell, which is a common technique for executing malicious payloads.

Heuristics 3

ClamAV: Win.Trojan.Johnny-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Johnny-2
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.