Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 167d5ab70f55c100…

MALICIOUS

Office (OLE) / .DOCX

1.89 MB Created: 2026-01-25 08:52:00 Authoring application: Microsoft Office Word First seen: 2026-02-25
MD5: 10af4e0e90eb0ff371f32a049edc5511 SHA-1: 0588cf26b6e9210f86a266ac0366af1fd29f135c SHA-256: 167d5ab70f55c100e51833fbfea44048095889c162e1330df0631423fc547409
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a Document_Open VBA macro that executes a function to wait, then attempts to write content to 'C:\Users\Public\Documents\MicrosoftWordUser.log' and execute a file named 'C:\Users\Public\Documents\MicrosoftWordUser.exe'. The macro also uses CreateObject("Shell.Application") and ShellExecute to run the payload, indicating a downloader or dropper functionality. The presence of a Document_Open macro and the use of ShellExecute are strong indicators of malicious intent.

Heuristics 7

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://privateca-content-688aa673-0000-2a86-a87a-088bc873570a.storage.googleapis.com/b4fb604825ecc5c3ce6b/crl.crl0
    • http://c2pa-ocsp.pki.goog/04
    • http://pki.goog/c2pa/media-1p-ica-g3.crt0
    • http://pki.goog/c2pa/root-g3.crt0&
    • http://c2pa-ocsp.pki.goog/0
    • http://pki.goog/c2pa/core-tsa-ica-g3.crt0
    • http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMediajparameters�kingredients��curlx-self#jumbf=c2pa.assertions/c2pa.ingredient.v3dhashX
    • http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia�factionkc2pa.editedkdescriptionwAdded
    • http://cv.iptc.org/newscodes/digitalsourcetype/composite�factionnc2pa.convertedkdescriptionqConverted
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aee575b3baa0e6d25b56ad8f4c5b588eedf8a839438679461784b7287d874628		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6214 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.