Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4ace3eb0df5245f2…

MALICIOUS

Office (OLE) / .DOC

71.5 KB Created: 2002-09-10 07:09:00 Authoring application: Microsoft Word 10.0
MD5: 3c2de75d18c5d98d228e15551e406f97 SHA-1: e05e190bd4dbce9939556e7aa4a3bcae8aa75aac SHA-256: 4ace3eb0df5245f24c050a4914da0c32e2676c6598b31124fbbc934bbb40a7cc
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is a Microsoft Word document containing VBA macros, including AutoOpen and Auto_Close functions, which are commonly used to initiate malicious actions. The presence of these macros and the high percentage of slack space suggest the document is designed to conceal malicious code. The document body content discusses temporal concepts in early childhood education, which appears to be a lure unrelated to the malicious functionality.

Heuristics 4

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 73,216 bytes but its declared streams total only 38,325 bytes — 34,891 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8f5bf91296ae602d031be5c72a8f3d7f50c7bb4e5c0ad4c6cab8dd52930ac35c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.