Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bdf904c9b8e9aaf1…

MALICIOUS

Office (OLE)

52.0 KB Created: 2000-03-24 10:10:00 Authoring application: Microsoft Office Word First seen: 2026-05-10
MD5: 761e0849d10bbc925f33473e60fc8245 SHA-1: 030999ec5e971db7895b3794024be1605314ffcb SHA-256: bdf904c9b8e9aaf141e81190dfc302b865f3a2f48a46392689617f0a9194c58c
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an OLE document that triggered a high-severity heuristic for VBA p-code auto-execution via CreateObject. Although VBA macros could not be extracted due to an unsupported format, the heuristic indicates an attempt to run code automatically when the document is opened. The document body contains what appears to be a mix of garbled characters and Russian text, including a section that resembles an employment leave request form, suggesting a social engineering lure. The primary intent appears to be the execution of a malicious macro to download a secondary payload.

Heuristics 3

  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA project contains no executable statements info 1 related finding OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.