Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 376f16644c2a63cc…

MALICIOUS

Office (OLE)

99.5 KB Created: 2009-07-06 10:14:00 Authoring application: Microsoft Office Word First seen: 2026-05-10
MD5: 84886f8a93742d31ff59dd4d4d0e2a24 SHA-1: 3de15fca988b5a035d8cc08a61395b53caa11856 SHA-256: 376f16644c2a63cc6ec01dda208a04025b837c994d1d667121c48bf65c8e0598
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OLE document that fired a high-severity heuristic indicating VBA p-code auto-execution with an execution token for the AutoOpen function and Shell command. Although VBA macros could not be extracted due to an unsupported format, the heuristic strongly suggests malicious VBA code was present. An embedded URL was also found, which could be used to download a secondary payload. The document body contains German text related to a meeting or workshop, which appears to be a lure.

Heuristics 4

  • VBA project contains no executable statements info 1 related finding OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ljr.de In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.