Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 9786fd636d041132…

MALICIOUS

Office (OLE) / .DOC

62.0 KB Created: 2019-05-24 01:53:00 Authoring application: Microsoft Office Word First seen: 2026-03-06
MD5: 17b415e0c4ffd3962141a50b04d3d854 SHA-1: 3fc373abe37d1ae320ff7e13f423bfe02f1c635e SHA-256: 9786fd636d0411329aaae1e7a0fd4807940bf26753d826cab1817b7213fb51cb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

The sample is a malicious Word document containing VBA macros. The `Document_Close` subroutine is designed to modify the document's own VBA code and potentially the Normal.dotm template. This suggests an attempt to establish persistence or alter the behavior of future documents. The script also manipulates Word's security settings, specifically `VbaWarnings`, to potentially disable macro security prompts. The exact payload or ultimate goal is not fully discernible due to script truncation, but the macro manipulation is a clear indicator of malicious intent.

Heuristics 3

  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aada689cdc0f7c65cdaf376974e7148a9788589652d9a8ef3d7295f291c7aafb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4610 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.