Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 62faf1ba4bcc636e…

MALICIOUS

Office (OLE) / .DOC

135.5 KB Created: 2020-11-06 13:04:00 Authoring application: Microsoft Office Word First seen: 2026-06-14
MD5: 6ee0e088f47ea45314d6511e46260290 SHA-1: a577f8a36cca4c6ad531b0e8bcb7ae0b61f39929 SHA-256: 62faf1ba4bcc636eb82564b69da0f444e8df6ab981b63992efb2e90299a9c4e8
86 Risk Score

Heuristics 5

  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 138,752 bytes but its declared streams total only 82,351 bytes — 56,401 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Recovered VBA macro source from orphaned project info OLE_ORPHANED_VBA_MACRO_SOURCE
    oletools recovered no VBA project, but VBA source-cache records (module names, API calls, dropped paths and literal source lines) survive in unallocated OLE space — a stripped or corrupted VBA project, typical of legacy Word 97 macro viruses. The macro source was recovered and carved for review and signature scanning.
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
vba_orphaned_source.txt vba-orphaned-source analyzer.wordbasic.recover_length_prefixed_source (VBA source-cache records recovered from a stripped/orphaned project in unallocated OLE space) 435 bytes
SHA-256: 38123b5a84085de4cc93c0ef52fb093003b839464d0b87ad6e1df6c8d96c60e6
Preview script
First 1,000 lines of the extracted script
Project
ThisDocument
C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL
VBA
C:\Program Files (x86)\Microsoft Office\Office15\MSWORD.OLB
Word
C:\Windows\SysWOW64\stdole2.tlb
stdole
AutoExit
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSO.DLL
Office
Document
Document_Open
groovie
I09
I10
I11
I12
I13
I14
I15
AutoOpen
AutoClose
FileSaveAs
filesave
fileclose
fileprint
ViewVBCode
ToolsMacro
FileTemplates
I17
I16
VBE7.DLL