Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 320a5da0eec0c821…

MALICIOUS

Office (OLE) / .DOC

1.24 MB Created: 2010-04-15 08:42:00 Authoring application: Microsoft Office Word First seen: 2026-05-10
MD5: 3379af5c1d6f87adf0c10076e259830c SHA-1: d646a578732b4d917628d68eb76ee35d2e8d35e1 SHA-256: 320a5da0eec0c821b0e80fbffc33e661cf9b5e92f9706c7cd77274a12f97ff66
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file is a Microsoft Word document containing what appears to be internal technical documentation. However, a high-severity heuristic firing indicates the presence of an EMF object within an OLE EPRINT stream, which is a common technique for embedding malicious content or exploits within Office documents. No VBA macros were extractable, but the EMF object itself is a significant indicator of potential malicious intent. The document body content does not directly suggest malicious activity, but the embedded object is highly suspicious.

Heuristics 3

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Application.OrganizerCopy _

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3339 bytes
SHA-256: 37f21e40398e627bea5730e592bec6ae20c876124edf1c120b19075d330d3a49
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul_CD"
' Makros für Erstellung neuer Dokumentvorlagen mit ND48 auf der Grundlage der CI/CD-Basisdokumente
' 30.07.08

Sub AutoNew()
' Autostart-Makro kopiert alle Makros des Moudul_CD in das neue Dokument

    Application.OrganizerCopy _
        Destination:=ActiveDocument.FullName, _
        Source:=ActiveDocument.AttachedTemplate.FullName, _
        Name:="Modul_CD", _
        Object:=wdOrganizerObjectProjectItems
End Sub

Sub Titelgrafik_Loeschen()
'
' Makro aufgezeichnet am 30.07.2008 von Spengler.H
'
    If ActiveWindow.View.SplitSpecial <> wdPaneNone Then
        ActiveWindow.Panes(2).Close
    End If
    If ActiveWindow.ActivePane.View.Type = wdNormalView Or ActiveWindow. _
        ActivePane.View.Type = wdOutlineView Then
        ActiveWindow.ActivePane.View.Type = wdPrintView
    End If
    ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
    Selection.HeaderFooter.Shapes(1).Select
    Selection.ShapeRange.Delete
    ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
End Sub


Sub AlleFelderAktualisieren()
Dim rngDoc As Range
    Dim oDoc As Document
    Set oDoc = ActiveDocument
    For Each rngDoc In oDoc.StoryRanges
      rngDoc.Fields.Update
      While Not (rngDoc.NextStoryRange Is Nothing)
        Set rngDoc = rngDoc.NextStoryRange
        rngDoc.Fields.Update
     Wend
   Next rngDoc
End Sub

Sub TitelEinfuegen()
    
    With Dialogs(wdDialogInsertPicture)
      If .Display = -1 Then
        Dim mypicture
        Set mypicture = ActiveDocument.Shapes.AddPicture(FileName:=.Name)
        
        mypicture.LockAspectRatio = msoFalse
        mypicture.WrapFormat.Type = 3
        mypicture.RelativeHorizontalPosition = wdRelativeHorizontalPositionPage
        mypicture.RelativeVerticalPosition = wdRelativeVerticalPositionPage
        mypicture.Top = CentimetersToPoints(0)
        mypicture.Left = CentimetersToPoints(0)
        mypicture.Width = CentimetersToPoints(21)
        mypicture.Height = CentimetersToPoints(29.7)

        mypicture.Select
        Selection.Cut
        
      End If
    End With
    
    ' Kopf-Fusszeile
    
    If ActiveWindow.View.SplitSpecial <> wdPaneNone Then
        ActiveWindow.Panes(2).Close
    End If
    If ActiveWindow.ActivePane.View.Type = wdNormalView Or ActiveWindow. _
        ActivePane.View.Type = wdOutlineView Or ActiveWindow.ActivePane.View.Type _
         = wdMasterView Then
        ActiveWindow.ActivePane.View.Type = wdPageView
    End If
    ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
    
' vorhandenes Titelbild löschen
    ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
    Selection.HeaderFooter.Shapes(1).Select
    Selection.ShapeRange.Delete
    
' neues Titelbild einfügen
    Selection.Paste
    Selection.ShapeRange.ZOrder msoSendToBack
    Selection.ShapeRange.ZOrder msoSendBehindText
    ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
    
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.