Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7c5a394b498b99b5…

MALICIOUS

Office (OLE) / .DOC

653.5 KB Created: 2020-07-03 15:41:00 Authoring application: Microsoft Office Word
MD5: 9238004746767a7ce20f406e16c594ab SHA-1: 73f1fc97c6ea1c1bacb2842e7148c830de670adb SHA-256: 7c5a394b498b99b5c432b3f6af81df3f852a5d81a11f88568939139f724f0a3c
630 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Microsoft Word document that exploits CVE-2007-3899 to execute embedded VBA macros. The AutoOpen macro attempts to lure the user into enabling macros by displaying a message about protected content, and then proceeds to execute an embedded PE executable. The VBA script also references the Windows temporary directory, suggesting it may drop or execute payloads from there.

Heuristics 18

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
599fe66afc8d44c6b1c6f2275391fec10fd0e42e748fdd003abf90f2d54936ff		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2369 bytes
embedded_office_0000466e.exe
d809a877f5645b65fb189334853c17e6a209a47b46604aee4cdaee24a812a6c5		 embedded-pe Office MZ+PE at offset 0x466E 651154 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin
2766635f6adba7befd23b3b231794edefed235f94a58e21552efd5c7dafab4ba		 ole-package OLE Ole10Native stream: ObjectPool/_1665806092/Ole10Native 621356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.