Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e97ec1e3618c5bca…

MALICIOUS

Office (OLE)

45.5 KB Created: 1997-03-13 23:39:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: b1f9b8e29c50e42a053a402e6db7bc52 SHA-1: 2783aba718fb65b83b65ce50f8e9256e462cd661 SHA-256: e97ec1e3618c5bcafc7a47d8b049b3dc8fe57ec9ba8dbbe8c6d997dd1dc6e984
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is a legacy Word document containing a WordBasic AUTOOPEN macro, which is a known technique for executing malicious code upon document opening. The presence of the AUTOOPEN marker and the critical ClamAV detection strongly indicate malicious intent, likely to download and execute a secondary payload.

Heuristics 2

  • ClamAV: Win.Trojan.Tm-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Tm-1
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.