Office (OLE) / .LIB malware analysis — suspicious · 88194756d8901fd7

SUSPICIOUS

Office (OLE) / .LIB

639.0 KB Created: 2001-12-12 02:14:13

MD5: f8ae4317ce1cdf4dec62c9fa61734cc6 SHA-1: 53298737c35e6642068eafb6d33721e6ebedbaea SHA-256: 88194756d8901fd777f516042e24121b451ca2079ad7d9f94b7ae6d0b42f3ca5

40 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an OLE object containing a large VBA macro, with multiple auto-execution functions (AutoOpen, Auto_Open, Auto_Close) detected. The macro code appears to interact with other workbooks and sheets, potentially to download or execute further payloads, although the specific actions are obfuscated and truncated. The presence of AutoOpen and Auto_Close macros strongly suggests an attempt to execute code automatically when the document is opened or closed.

Heuristics 5

AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED

The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2bed50ff13136df51c1a0dad9fb984669fb85a90d11f1e6b570be39387e45db8`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	395889 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.