Office (OLE) / .PGP malware analysis — suspicious · 776813f853657b3a

SUSPICIOUS

Office (OLE) / .PGP

28.5 KB Created: 2001-01-07 12:37:00 Authoring application: Microsoft Word 9.0

MD5: 343fc421b1c54652194b3970c725211d SHA-1: 1707e3b7263ce92e81ab18cd40882db252ab4417 SHA-256: 776813f853657b3a8dade75f14096a58ddd2e5e86065a6d5ef3ab53d6246c517

40 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1041 Exfiltration Over C2 Protocol T1110 Brute Force

The AutoClose VBA macro executes a Shell command to upload the user's PGP private key ('Secring.skr') to an FTP server at '209.201.88.110'. The script attempts to bypass detection by checking for the presence of a registry key before proceeding. This indicates an attempt to steal sensitive cryptographic material.

Heuristics 4

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED

The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6bf45a510fc59c5310b9f7db9295ddc4a7f945b24e173a749466a87fe4dd29d4`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2082 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.