Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 05b423aa13a0c7c5…

MALICIOUS

Office (OLE) / .DOC

220.5 KB Created: 2025-09-11 06:10:00 Authoring application: Microsoft Office Word
MD5: 2c55ada7bf05b4ca1d3b2e8e0b5655fc SHA-1: 4bcaa8c1a28377d23a2ce22b93f187ab7242ac91 SHA-256: 05b423aa13a0c7c54219288431b75815f50650d6c13bc44a7fdd7b38691c40f9
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, indicated by the OLE_VBA_MACROS heuristic and the presence of a macros.bas script. The script references constants and potentially constructs strings related to file operations and network communication, suggesting it may be involved in downloading or executing further payloads. The document body mimics a Chubb Insurance payment notification, a common lure for phishing or social engineering attacks. The ShellExecute API reference further supports the likelihood of malicious execution.

Heuristics 5

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • https://apclaims.aceins.com/AP_PROD/AFS.Claims/ACE_HFC/FileNotes/FileNoteAcceptorView.aspx?RedirectedFromDocument=TRUE&ClaimID=08DD9675242B5801&AttachmentID=0x9a0e79250xf344&FileNoteType=02&ParticipantIDs=%2c%2c&AttachmentFileName=AH+Claims+AU+Chubb+AMEX+NAC+Business+Payment+Letter&FileExtension=DOCX&UserStateId=08DDEE5FF61C914E&Navigation=True&ApplicationVersion=10.712002
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4e48c266f7a03682d35e4361998931ce8403dd8cb3469180044e3e7dace227f4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 226311 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.