Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e7b055a2ed036527…

MALICIOUS

Office (OLE)

9.5 KB Created: 1997-01-26 10:56:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 893ab68de28ac7d6290a5cf446a750f7 SHA-1: d55c16de63f6e2cdbbd299ab4671e8c3d17f1a6a SHA-256: e7b055a2ed036527873ae5a0ff0df67550ac398178360d342177a2c72e97fd2e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing an AUTOCLOSE macro, a known indicator of malicious intent for older Office formats. ClamAV identifies it as Win.Trojan.Pig-1. The AUTOCLOSE macro is a strong indicator that the document is designed to execute arbitrary code upon opening, likely to download and execute a secondary payload.

Heuristics 2

  • ClamAV: Win.Trojan.Pig-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pig-1
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.