Office (OLE) / .DOT malware analysis — malicious · c16a46ac94a2022d

MALICIOUS

Office (OLE) / .DOT

2.14 MB Created: 2001-04-20 05:55:00 Authoring application: Microsoft Word 9.0

MD5: f2f888088534f37a4840de007935880d SHA-1: 3de5467a288a20a78c8583b6686679b9c06ff2ab SHA-256: c16a46ac94a2022d8e4a57edcbe49c73ca95de598bde749e8636cb68b62bf18d

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is a Microsoft Word template (.DOT) containing a large VBA macro. The macro utilizes `Shell()` and `CreateObject()` functions, indicating it's designed to execute arbitrary code. The presence of 'VBA Chr string obfuscation' and the extracted artifact 'macros.bas' further support this. The document body's warning about modifications affecting functionality suggests the template is intended for a specific application, but the macro's execution capabilities point towards a malicious downloader or dropper.

Heuristics 5

ADODB.RecordSet — CVE-2015-0097 high CVE likely CVE_2015_0097

ADODB.RecordSet — CVE-2015-0097
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ed5a3d8c1c68b300f90951281276c23cf99ad2e27a2a9ceea3fff999fcd2705e`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	421491 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 22 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.