Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 ae7f4faac7b4b37d…

MALICIOUS

Office (OLE) / .DOC

1.63 MB Created: 2021-12-07 15:54:00 Authoring application: Microsoft Office Word
MD5: 139f85de1f23879544b5830cdc5b0599 SHA-1: b6fcc786037012439e6a4920c8ed5a6ca92b67db SHA-256: ae7f4faac7b4b37d0e8161710bc29dcd840c9352bb5a051f8550fc293d574deb
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious OLE document containing a VBA macro. The macro attempts to load and perform OCR on a TIFF image, suggesting an attempt to extract or process data from an image file. The presence of the AutoOpen macro and the OLE slack anomaly indicate malicious intent. The script also references specific file paths that may be used for staging or execution.

Heuristics 3

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,713,507 bytes but its declared streams total only 984,355 bytes — 729,152 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e640225d8112ec39645368ef514fd3581b5e4493a35fdc7b68467171b8554f3f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 51767 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.