Office (OLE) / .DOC malware analysis — malicious · 40c3eb22a02601cf

MALICIOUS

Office (OLE) / .DOC

633.5 KB Created: 2021-01-13 15:02:00 Authoring application: Microsoft Office Word

MD5: e920a98ccda2ecf95cca8e6d4e66e0ac SHA-1: e39ee8709a55f915446d4d22d581aa03422b6378 SHA-256: 40c3eb22a02601cf70a4ae08eeaa5805144386bc13882e5f110c133b1d0ede8e

520 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro triggers the execution of an embedded PE executable file. This executable was detected by ClamAV as Win.Dropper.PinkSbot. The presence of ShellExecute and VirtualAlloc API calls further indicates malicious activity, likely related to the execution of the dropped payload.

Heuristics 13

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Doc.Dropper.Hancitor-9845854-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Hancitor-9845854-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f4f6524f707c592691c94a71cb28e232f2ecfc89447c765d4169193ba44add5f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3947 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
`embedded_office_00022275.exe` `2b32d7cdeb9473f681919d38e5f675e8e8a2ca8ec8a9b2edf1b45277956d9a76`	embedded-pe	Office MZ+PE at offset 0x22275	508811 bytes
Detection ClamAV: Win.Dropper.PinkSbot-9853703-0 Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin` `92a670f1cd9bd3c6104a9effaa1963edc9215f85dbe0eac7b864bff3f51f988e`	ole-package	OLE Ole10Native stream: ObjectPool/_1672026558/Ole10Native	470849 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.