Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 a9fa1d0f517810c9…

MALICIOUS

Office (OLE) / .DOC

62.0 KB Created: 2024-07-10 19:54:00 Authoring application: Microsoft Office Word First seen: 2026-05-13
MD5: 0780d9ae4fcef7442f0fe99fcb794545 SHA-1: ccf4769bcce4b277db236358f480f8f65fb3bef7 SHA-256: a9fa1d0f517810c90aaecf2ee5fcbd7a73fff9a5f222dbed227f0aeae82a985e
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The sample is an OLE document with a VBA macro that is set to auto-execute. Although the VBA macros could not be directly extracted due to an unsupported format, the heuristic firing indicates an auto-execution method (AutoOpen) combined with an execution token (Shell). The document body presents itself as an admission exam form, a common lure for social engineering attacks. The presence of the 'macros.bas' file further supports the macro-based attack vector.

Heuristics 4

  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA project contains no executable statements info 1 related finding OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 713 bytes
SHA-256: a3236740446c03b8d9cee1f814904f50f7777df6a100124a1e57bc3979d79872
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "WININIT"



    
    
    
    
    
    
    
    
    
    
    
    
    
    
    





Attribute VB_Name = "AutoOpen"







    
        
    
        
    

    
        
    
        
    









    
                
                             
        
    







    
                
                             
        
    
















Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.