Office (OLE) / .DOC malware analysis — malicious · 7ce0a97ba59f75ba

MALICIOUS

Office (OLE) / .DOC

82.5 KB Created: 2000-05-09 07:15:00 Authoring application: Microsoft Word 8.0

MD5: 57c1cc489db5115c1452d83a385fb207 SHA-1: a43393dfb74486cbb4a8e68746c9b03584003efa SHA-256: 7ce0a97ba59f75ba1b917ce0348ac028dc98f9d5cf37a841025b1c96fa34ac9f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros, specifically triggering AutoOpen and AutoClose events. The AutoClose macro attempts to disable macro security and potentially download or execute further malicious content, indicated by the presence of obfuscated code and the attempt to manipulate macro settings. The document body content is unrelated to the malicious functionality.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 84,480 bytes but its declared streams total only 30,868 bytes — 53,612 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2db4823bd0272438abfc258a48ac78fd3bac89288395ea4f72642be69b3dbf80`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28073 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.