Doc.Trojan.Ramiel-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 fb2e20bd92cd3feb…

MALICIOUS

Office (OLE)

79.0 KB Created: 2002-06-28 04:18:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 94347a003b60d84c28b8725b062ee32e SHA-1: 9cb57b8984bb4544134714a028904d855218a8ce SHA-256: fb2e20bd92cd3febfb44b4c6f66caafddda87c5a67f301f5fea1c0966dbbb82f
102 Risk Score

Malware Insights

Doc.Trojan.Ramiel-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Ramiel-1. A critical heuristic indicates VBA p-code auto-execution upon document opening, using execution tokens to create objects. While VBA macros could not be fully extracted due to an unsupported Office format, the presence of auto-execution code strongly suggests the document is designed to run malicious scripts. The embedded email address 'Sachiel2015@latinmail.com' may be an indicator of compromise or contact information.

Heuristics 3

  • ClamAV: Doc.Trojan.Ramiel-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ramiel-1
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AssertionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.