Office (OLE) / .DOC malware analysis — malicious · 62faf1ba4bcc636e

MALICIOUS

Office (OLE) / .DOC

135.5 KB Created: 2020-11-06 13:04:00 Authoring application: Microsoft Office Word First seen: 2026-06-14

MD5: 6ee0e088f47ea45314d6511e46260290 SHA-1: a577f8a36cca4c6ad531b0e8bcb7ae0b61f39929 SHA-256: 62faf1ba4bcc636eb82564b69da0f444e8df6ab981b63992efb2e90299a9c4e8

86 Risk Score

Heuristics 5

Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 138,752 bytes but its declared streams total only 82,351 bytes — 56,401 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Recovered VBA macro source from orphaned project info OLE_ORPHANED_VBA_MACRO_SOURCE

oletools recovered no VBA project, but VBA source-cache records (module names, API calls, dropped paths and literal source lines) survive in unallocated OLE space — a stripped or corrupted VBA project, typical of legacy Word 97 macro viruses. The macro source was recovered and carved for review and signature scanning.
VBA project contains no executable statements info OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

vba_orphaned_source.txt vba-orphaned-source analyzer.wordbasic.recover_length_prefixed_source (VBA source-cache records recovered from a stripped/orphaned project in unallocated OLE space) 435 bytes

Filename	Kind	Source	Size
`vba_orphaned_source.txt`	vba-orphaned-source	analyzer.wordbasic.recover_length_prefixed_source (VBA source-cache records recovered from a stripped/orphaned project in unallocated OLE space)	435 bytes
SHA-256: `38123b5a84085de4cc93c0ef52fb093003b839464d0b87ad6e1df6c8d96c60e6`
Preview script First 1,000 lines of the extracted script Project ThisDocument C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL VBA C:\Program Files (x86)\Microsoft Office\Office15\MSWORD.OLB Word C:\Windows\SysWOW64\stdole2.tlb stdole AutoExit C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSO.DLL Office Document Document_Open groovie I09 I10 I11 I12 I13 I14 I15 AutoOpen AutoClose FileSaveAs filesave fileclose fileprint ViewVBCode ToolsMacro FileTemplates I17 I16 VBE7.DLL

SHA-256: 38123b5a84085de4cc93c0ef52fb093003b839464d0b87ad6e1df6c8d96c60e6

Preview script

First 1,000 lines of the extracted script

Project
ThisDocument
C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL
VBA
C:\Program Files (x86)\Microsoft Office\Office15\MSWORD.OLB
Word
C:\Windows\SysWOW64\stdole2.tlb
stdole
AutoExit
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSO.DLL
Office
Document
Document_Open
groovie
I09
I10
I11
I12
I13
I14
I15
AutoOpen
AutoClose
FileSaveAs
filesave
fileclose
fileprint
ViewVBCode
ToolsMacro
FileTemplates
I17
I16
VBE7.DLL

Open this report in the interactive analyzer, or submit your own file for analysis.