Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 53d854ff98330aac…

MALICIOUS

Office (OLE)

324.3 KB Created: 2003-06-02 13:34:00 Authoring application: Microsoft Word 8.0 First seen: 2012-10-10
MD5: 5c48c064f8485de27f37f7f4f3b964b0 SHA-1: 1ad0ebdb4f79003b827d961bf0ea9a945fb71a44 SHA-256: 53d854ff98330aac4cf613998de97e1286057a0af6133b7ff49138b1371a6d7f
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a legacy WordBasic AutoOpen macro (OLE_LEGACY_WORDBASIC_AUTOEXEC) suggests an attempt to automatically execute code. Furthermore, the OLE_APPENDED_PAYLOAD heuristic indicates that the file contains an appended executable payload, strongly suggesting malicious intent. The VBA project itself contains no executable statements, but the AutoOpen marker and appended payload are sufficient indicators.

Heuristics 3

  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 278 bytes
SHA-256: 0f2d3a9288fdf46e94539f5356d617d21477d8626eb3b5f890018d7e72cbd454
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bdoc2"