Office (OLE) / .DOC malware analysis — malicious · 57253f322504e0a8

MALICIOUS

Office (OLE) / .DOC

554.0 KB Created: 2025-06-16 07:49:00 Authoring application: Microsoft Office Word

MD5: 2632fa8fc67dd2fd5c5a6275465dcc95 SHA-1: 349a946e7385b2d2e4b66eacd4e6644af2697747 SHA-256: 57253f322504e0a8256d46f31c19e228b8c55a14ee18e759936c71941c8ee4ad

588 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The sample is a malicious Microsoft Office document containing VBA macros, specifically a Document_Open macro that executes shell commands. Critical heuristics indicate an embedded PE executable and XOR-encoded strings, suggesting the macro is designed to drop and run a secondary payload. The embedded executable was also flagged as malicious by ClamAV.

Heuristics 15

XOR-encoded strings (key 0x42) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x42: 'NtAllocateVirtualMemory'
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Doc.Malware.Macros-10058718-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Macros-10058718-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
PEB access via GS segment (x64) high SC_PEB_ACCESS_X64

PEB access via GS segment (x64)
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.openxmlformats.org/officeDocument/2006/customXml

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ab34e747df034c595035782f46f64d106bd278a3d28fe4a0b36526ff373c8290`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12211 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`embedded_office_00002918.exe` `2128151c685d55b01271cd51d7bd692c51085ac94c028c871944348b9acbe769`	embedded-pe	Office MZ+PE at offset 0x2918	556776 bytes
Detection ClamAV: Win.Loader.Covenant-10058832-0 Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms. Carved artifact entropy is 7.42, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.