Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 11e7d19813747c32…

MALICIOUS

Office (OLE) / .DOC

108.5 KB Created: 2010-04-27 15:53:00 Authoring application: Microsoft Word 9.0 First seen: 2026-05-09
MD5: 00a57e572d3f34b2f9b5e5a24cdee0ed SHA-1: 8a088d8fe91f90c905fb3916aaf3de0309f65dca SHA-256: 11e7d19813747c327f423d0616f7a1133e242233200cc7f4928156a652159eaa
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon opening or closing the document. The document body presents a form, suggesting a social engineering lure to collect user data. The presence of a VBA macro-virus replication heuristic indicates the macro is designed to spread or tamper with AV.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Application.OrganizerCopy Source:=currentTemplate.Path & Application.PathSeparator _
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5145 bytes
SHA-256: 5fea539d357873bbe44e92be163b08e91114f147992e0a3e38fcff315a1110d1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1PPO.Stellys_Macros"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Pasting"
Attribute VB_Base = "0{038408F6-97F3-43FA-BD7D-8DC71AE3C249}{63263884-9956-4372-920E-4E73E2880E28}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub OK_Click()
Pasting.Hide
End Sub


Attribute VB_Name = "Stelly_Module"
Sub Copy_for_CrimInt()
'
' Copy Macro
' Macro written 03/05/2005 by Stelly
'
    If ActiveDocument.ProtectionType <> wdNoProtection Then
    ActiveDocument.Unprotect
    Selection.WholeStory
    Selection.Copy
    ActiveDocument.Protect _
        Type:=wdAllowOnlyFormFields, NoReset:=True
    Else
    Selection.WholeStory
    Selection.Copy
End If
    Pasting.Show
End Sub
Sub Field_Update()
'
' Field_Update Macro
' Macro written 03/05/2005 by Stelly
'
If ActiveDocument.Fields.Update = 0 Then
    MsgBox "Calculation Successful"
Else
    MsgBox "Field " & ActiveDocument.Fields.Update & _
        " has an error"
End If
End Sub
Sub Unlock_Lock()
'
' Unlock_Lock Macro
' Macro written 03/05/2005 by Stelly
'

If ActiveDocument.ProtectionType <> wdNoProtection Then
    ActiveDocument.CommandBars("PPO Referral Form Toolbar").Controls(5).State = Office.msoButtonUp
    ActiveDocument.Unprotect
    MsgBox "You have unlocked the document. Ensure you Lock it before making any changes to the data to ensure Calculations work properly."
    Else
    ActiveDocument.Protect _
    Type:=wdAllowOnlyFormFields, NoReset:=True
    ActiveDocument.CommandBars("PPO Referral Form Toolbar").Controls(5).State = Office.msoButtonDown
    
End If
End Sub
Sub Copy_Macros()
'
' Copy_Macro Macro
' Macro written 17/08/2005 by Stelly
'
If ActiveDocument.ProtectionType <> wdNoProtection Then
    ActiveDocument.Unprotect
End If

Set currentTemplate = ActiveDocument.AttachedTemplate
If currentTemplate = ActiveDocument Then
MsgBox "Template Edit Mode"
Else
    Application.OrganizerCopy Source:=currentTemplate.Path & Application.PathSeparator _
        & currentTemplate.Name, Destination:=ActiveDocument, Name:="Pasting", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=currentTemplate.Path & Application.PathSeparator _
        & currentTemplate.Name, Destination:=ActiveDocument, Name:="Stelly_Module", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=currentTemplate.Path & Application.PathSeparator _
        & currentTemplate.Name, Destination:=ActiveDocument, Name:="PPO Referral Form Toolbar", Object:=wdOrganizerObjectCommandBars
End If
ActiveDocument.Protect _
    Type:=wdAllowOnlyFormFields, NoReset:=True
    
Set currentTemplate = Nothing

End Sub
Sub Toolbar_Menu_Creation()
'
' Toolbar_Menu_Creation Macro
' Macro written 17/08/2005 by Stelly
'

    foundFlag = False
For Each cb In CommandBars
    If cb.Name = "PPO Referral Form Toolbar" Then
        cb.Visible = True
        foundFlag = True
    End If
Next cb
If Not foundFlag Then
 
    Dim customBar As CommandBar
    Dim newButton As CommandBarButton
    Set customBar = CommandBars.Add(Name:="PPO Referral Form Toolbar", Position:=msoBarFloating)
    Set newButton = customBar.Controls _
    .Add(msoControlButton, CommandBars("File") _
    .Controls("Save").ID)
    Set newButton = customBar.Controls _
    .Add(msoControlButton, CommandBars("File") _
    .Controls("Print...").ID)
    Set newButton = customBar.Controls _
    .Add(msoControlButton)
    Set newButton = customBar.Controls _
    .Add(msoControlButton)
    Set newButton = customBar.Controls _
    .Add(msoControlButton)
    customBar.Controls(1).Style = msoButtonIconAndCaption
    customBar.Controls(2).Style = msoButtonIconAndCaption
    customBar.Controls(3).Caption = "Calculate Scores"
    customBar.Controls(3).FaceId = 0
    customBar.Controls(3).OnAction = "Field_Update"
    customBar.Controls(3).Style = msoButtonIconAndCaption
    customBar.Controls(4).Caption = "Copy to Clipboard for CrimInt"
    customBar.Controls(4).FaceId = 0
    customBar.Controls(4).OnAction = "Copy_for_CrimInt"
    customBar.Controls(4).Style = msoButtonIconAndCaption
    customBar.Controls(5).Caption = "Lock/Unlock"
    customBar.Controls(5).FaceId = 0
    customBar.Controls(5).OnAction = "Unlock_Lock"
    customBar.Controls(5).Style = msoButtonIcon
    customBar.Controls(5).State = msoButtonMixed

    customBar.Visible = True
    

End If

End Sub
Sub AutoOpen()

'Application.Run MacroName:="Toolbar_Menu_Creation"

End Sub
Sub AutoNew()

'Application.Run MacroName:="Toolbar_Menu_Creation"
Application.Run MacroName:="Copy_Macros"
End Sub

Sub AutoClose()

'Application.Run MacroName:="Copy_Macros"

End Sub