Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 3a2a1eff040a79d6…

MALICIOUS

Office (OLE) / .DOC

943.0 KB Created: 2022-03-22 08:25:00 Authoring application: Microsoft Office Word First seen: 2022-03-21
MD5: f994697106f7c6cef2f394a9429d9e67 SHA-1: 15252272f8d6911731eef807a49f045ff97a8a46 SHA-256: 3a2a1eff040a79d603b1ac2609a423ad8beb46d2876aa959f60dc98477707c0f
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample contains a VBA macro within the Document_Open subroutine that executes a function to search for and open an embedded OLE document named 'borw4.doc' using the password '44'. The macro also attempts to create a file if it does not exist, suggesting a downloader or dropper functionality. The embedded OLE package itself has suspicious static findings, including an appended payload, indicating it likely contains a secondary stage.

Heuristics 9

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Agile Encryption (Office 2010+)).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://schemas.microsoft.com/office/2006/encryption
    • http://schemas.microsoft.com/office/2006/keyEncryptor/password
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificate
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aa3225c4f8390243fa076d9e3f114a901396dad2ce355923be19474c589c14a9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1250 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin
e1a0df9e24bdcd2211ba323347383713d3a9f86b6885f43482edf62115aa0c47		 ole-package OLE Ole10Native stream: ObjectPool/_1709415777/Ole10Native 863511 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
embedded_office_off00004667.ole
7ffece84b0929751f2f748118268ff6b65ea1dae4cbaaafd7ef70bd936dafcab		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x4667 947609 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms. Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.