Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c470348fcd143490…

MALICIOUS

Office (OLE) / .DOC

256.5 KB Created: 2017-06-14 21:47:00 Authoring application: Microsoft Office Word First seen: 2026-06-10
MD5: 5c3f4f88b14e2651f99ba8170beb8085 SHA-1: 3f5c71e5186a48691be15819a4d2c9f7850b8123 SHA-256: c470348fcd143490c29f439d6a0423cb570fda679033f10d1c094f2452b7dec8
124 Risk Score

Heuristics 5

  • Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADER
    Raw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 262,656 bytes but its declared streams total only 145,794 bytes — 116,862 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole_raw_native_loader_00_alternating-minus4-minus3-b64.bin ole-raw-native-loader-blob raw OLE/VBA native-memory callback loader decoded from printable run at offset 0x3178C using alternating-minus4-minus3-b64 5883 bytes
SHA-256: f1a0d4ef92a1a0fc1fd73e200fc3bf2b90628b3b1677fe4caf0f61bec11de7e9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 344 bytes
SHA-256: ae87a3eb99ad7e6cff7938b407cd254c7aa0e3c35b111b61061cee5dacfc2fa6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "bullheaded"
Attribute VB_Base = "0{F8D606B1-68F9-4C6A-A896-23139FFA9C40}{B4495743-8871-4887-9DC4-A8966B078A38}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.