Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 2ac3b573d70c40c5…

MALICIOUS

Office (OLE) / .DOC

735.5 KB Created: 2021-01-11 12:52:00 Authoring application: Microsoft Office Word
MD5: 425df180a9053ce5da2f5a27e1e93696 SHA-1: 73918ba5def170bea031c40dbb8c1355c7e5d1a7 SHA-256: 2ac3b573d70c40c5c0fafe4e5914c723f2322a1c9cd76d232447654604ff8b76
760 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer T1055.012 Process Hollowing

The sample is a malicious OLE document containing VBA macros that leverage Shell() and CreateObject() to execute embedded content. Heuristics indicate the use of process injection APIs like WriteProcessMemory and LoadLibrary, suggesting the embedded PE executable is likely used to download and execute a second-stage payload. The ClamAV detection of 'Doc.Dropper.Hancitor-9845854-0' and 'Win.Dropper.PinkSbot-9853702-0' on an extracted artifact further supports this dropper functionality.

Heuristics 19

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Doc.Dropper.Hancitor-9845854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Hancitor-9845854-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1e23a61a097a11bba4a2d9383cb4d2eb5ff7f540a3fdf86a752275ddb368635b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3973 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
embedded_office_00022483.exe
76c6db91ba1bd929338151eb6b7efa3d4639e5625a1eb5fa3ac84b030a30c998		 embedded-pe Office MZ+PE at offset 0x22483 612733 bytes
Detection
ClamAV: Win.Dropper.PinkSbot-9853702-0
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin
3cc59d748a953c9859baa037b1d8c8594e94a11eff652cfbff83acd95c924b68		 ole-package OLE Ole10Native stream: ObjectPool/_1671853140/Ole10Native 570731 bytes
Detection
ClamAV: Win.Dropper.PinkSbot-9853702-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.