Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 4b0b043cbaabdf97…

MALICIOUS

Office (OLE) / .DOCX

1.07 MB Created: 2021-05-20 10:16:00 Authoring application: Microsoft Office Word
MD5: de17357c5343026479fcd454c593a8d1 SHA-1: bc78ed0db121aa1a9b132c46a9ea643e36be2aec SHA-256: 4b0b043cbaabdf97a47604f43883f55b358217b430a9407b602358593af5b521
522 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with a Document_Open auto-exec function that utilizes the Shell() function to execute an embedded PE executable. This is further supported by heuristics indicating PEB access, LoadLibrary, GetProcAddress, and VirtualProtect API calls, typical of malware execution. The presence of an embedded executable and the use of VBA for execution strongly suggest a malicious downloader or initial access payload.

Heuristics 14

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
83e5bb7b78842e6cc089e78ca70aa1b0bdc97d050ffbeac6ac77bd23552833de		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1491 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
embedded_office_0008f068.exe
30eca6f768a81a9a3089bf1fec7e846e02086a64d557c75ea248e882f61a83e8		 embedded-pe Office MZ+PE at offset 0x8F068 531864 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin
3150aec4a366f3a8bfe7eb42fd8b0793ac26dc2bd77f0d3dc0f22d3b8f00ecb6		 ole-package OLE Ole10Native stream: ObjectPool/_1682985893/Ole10Native 505626 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.