Office (OLE) / .DOT malware analysis — malicious · 2936956a80e4f240

MALICIOUS

Office (OLE) / .DOT

504.0 KB Created: 2008-12-17 00:13:00 Authoring application: Microsoft Word 8.0

MD5: edf2c2043893f2f6f922d9cf24c0cae7 SHA-1: 0d4604c7b1a396977c2dd636b1212adf63c22900 SHA-256: 2936956a80e4f240c16394569520154add26f3576fbba90511b0d00f91bc473c

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The file is a Word template containing VBA macros. Heuristics indicate the presence of ShellExecute API calls and Shell() function calls within the VBA code. These functions are commonly used to execute arbitrary commands, suggesting the macro is designed to download and execute a second-stage payload. The specific commands or URLs are not directly visible in the provided evidence, but the intent is clear.

Heuristics 4

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2e610d6a741eb289634ede16207588c851093938591121d0ba5db2d04a0b8ab6`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	390523 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.