Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dd4983aab4ad2b76…

MALICIOUS

Office (OLE)

12.0 KB Created: 1996-08-06 10:16:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 5266d58f91953189e28c9549f9089693 SHA-1: b33b538cb21f1a1a00fcb546e9190ec172744552 SHA-256: dd4983aab4ad2b7609de03649abae95ecb25866d1be9ab7e9a0693af8db0b712
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits legacy WordBasic macro virus markers, specifically 'ToolsMacro', and is detected by ClamAV as 'Win.Trojan.Crypt-4'. The document body contains strings indicative of macro execution and file paths that may relate to malware distribution. The presence of legacy macro virus markers strongly suggests an attempt to execute malicious code.

Heuristics 2

  • ClamAV: Win.Trojan.Crypt-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Crypt-4
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.