Office (OLE) / .DOC malware analysis — malicious · 6a22c0f7cafd717d

MALICIOUS

Office (OLE) / .DOC

191.5 KB Created: 2025-11-05 08:52:00

MD5: ec0e4a3dcfcc85ed52783f7cf2e80ddf SHA-1: 2b50d250472befcddcb6b2f4f5083fc316e142fe SHA-256: 6a22c0f7cafd717d4bc7408d7cf045f864939dd11f6d61a1b557e25a65fe4b7e

232 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is a malicious OLE document containing obfuscated VBA macros. The AutoOpen macro triggers a UserForm that displays a CAPTCHA, likely as a social engineering tactic to trick the user into interacting with the document and potentially enabling further malicious actions. The presence of Shell() and CreateObject() calls within the VBA code indicates an intent to execute arbitrary commands or load external components.

Heuristics 8

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.openxmlformats.org/officeDocument/2006/customXml

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `17e9dd21d0f47d7453525f57d4d93688e8179240f23536f87962bb6bdc5aa706`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	711670 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2703 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.