Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e91a2dd60798da1a…

MALICIOUS

Office (OLE)

15.0 KB Created: 1996-10-13 19:08:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 7634c5977ca133057cb4e2493ce1cb36 SHA-1: 8a430ba1bd68e93436a583f7c0c5506b8866b1bd SHA-256: e91a2dd60798da1a912a20c9ffe9182dcc933ec2d7447cb6dd59c3268c2cae82
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Win.Trojan.MDMA-3. Static analysis revealed a legacy WordBasic macro marker 'AutoClose', indicating that malicious code would execute automatically upon closing the document. The presence of this marker and the legacy nature of the macro suggest an older, but still potentially dangerous, attack vector.

Heuristics 2

  • ClamAV: Win.Trojan.MDMA-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.MDMA-3
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.