Office (OLE) / .DOC malware analysis — suspicious · 83972d5474a1d807

SUSPICIOUS

Office (OLE) / .DOC

28.0 KB Created: 2022-02-13 15:00:00 Authoring application: Microsoft Office Word

MD5: a8a624e79ce84c5d8c40d55eaf701d05 SHA-1: f147abbc5c06ddaa3d6e3ccd13261a78b65708a8 SHA-256: 83972d5474a1d807a1197cdaeb64b0e190a13c6f2cd69772c847feccf1517260

40 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes upon opening the document. This macro uses CreateObject to instantiate the Windows Installer service and then calls InstallProduct to download and execute a MSI file from the URL https://filebin.net/esn5g5841ddrd09y/bin.msi. This indicates a downloader or dropper functionality.

Heuristics 6

Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://filebin.net/esn5g5841ddrd09y/bin.msi�
- https://filebin.net/esn5g5841ddrd09y/bin.msi
- http://schemas.openxmlformats.org/drawingml/2006/main
- https://docs.microsoft.com/en-us/windows/win32/msi/action
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED

The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `bea64e2a22cddd06bf3d068c0138884c87dd1d0d76ef9c9649b0960efe9a136d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	637 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.