Office (OLE) / .5B3 malware analysis — suspicious · 734da6b10491a880

SUSPICIOUS

Office (OLE) / .5B3

1.10 MB Created: 1998-08-26 10:19:00 Authoring application: Microsoft Word 9.0

MD5: 4615f647e4f6716d33a29173b7ed82f2 SHA-1: 5ff52c9bfeec473851e7a3ad503f2b843e5382d4 SHA-256: 734da6b10491a88018dd7ae4ff0112a4af5f0671a0b5d6425eecf5356477ebab

40 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including an Auto_Close macro and a Shell() call, indicating a malicious intent to execute code. The VBA script attempts to launch a help file named 'AVAREP.HLP', which is likely a lure to execute a secondary payload or exploit. The document body itself is a template for a validation report, suggesting a social engineering pretext.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED

The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `3ab47836e2e6daa3a5516b1d4b311948388f7624b6d3e4b2cfe07fb77a955059`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	702490 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.