Office (OLE) / .DOC malware analysis — malicious · 603509c3e581d547

MALICIOUS

Office (OLE) / .DOC

10.8 KB First seen: 2026-02-23

MD5: a8fee563a35e9413134f43e0450587eb SHA-1: 109be6cd0e7d12ebe0ddfd504d1daa12e2e973e5 SHA-256: 603509c3e581d547616df569ead529f5cbc52df5197a38b404cc647352029cc4

64 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros. The heuristic firings indicate a heap spray pattern and the presence of macros, suggesting an attempt to exploit vulnerabilities or download additional malware. The embedded 'macros.bas' file is the primary artifact of interest.

Heuristics 4

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/package/2006/metadata/core-properties
- http://purl.org/dc/elements/1.1/
- http://purl.org/dc/terms/
- http://purl.org/dc/dcmitype/
- http://www.w3.org/2001/XMLSchema-instance

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7a61c01e01a93ae1d7458b3e7fc334f90e63bae671a5144eced94b6684a0dc24`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11029 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.