Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 de45afa1de5df42e…

MALICIOUS

Office (OLE)

20.0 KB Created: 1997-04-21 07:31:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 249e1949cc5bdab42a433d2f2e383bde SHA-1: 8a88508518e99fc931ccc9dc97b7fa5a93f44f7f SHA-256: de45afa1de5df42e28d7e2744f2362f0fdc56e6b0a11fb8a6a4c7b1ae4479f8d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a legacy WordBasic macro virus, specifically flagged by ClamAV as Win.Trojan.JunkFace-1. The presence of 'ToolsMacro' and 'AutoClose' in the document body suggests the execution of malicious code upon opening or closing the document. The legacy nature and detection name point to a known malware family.

Heuristics 2

  • ClamAV: Win.Trojan.JunkFace-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.JunkFace-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.