Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c5c4b8473d2df7ca…

MALICIOUS

Office (OLE) / .DOC

1.24 MB Created: 2010-04-15 08:42:00 Authoring application: Microsoft Office Word First seen: 2026-05-10
MD5: 21b538126851ca0475f6fdc47f03d73c SHA-1: 82638519ae93ab86dd39e2a30ad63f33afff0b4d SHA-256: c5c4b8473d2df7cae380da98a66b8f99a249f93c936d2cee0fd5d1ae72ead22b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file is a Microsoft Office document containing an embedded EMF object within an OLE stream. While VBA macros could not be extracted, the presence of the EMF object is a strong indicator of malicious intent, likely to exploit vulnerabilities or deliver a payload. The document body appears to be technical documentation, suggesting a pretext for embedding the malicious object.

Heuristics 3

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Application.OrganizerCopy _

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3339 bytes
SHA-256: 37f21e40398e627bea5730e592bec6ae20c876124edf1c120b19075d330d3a49
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul_CD"
' Makros für Erstellung neuer Dokumentvorlagen mit ND48 auf der Grundlage der CI/CD-Basisdokumente
' 30.07.08

Sub AutoNew()
' Autostart-Makro kopiert alle Makros des Moudul_CD in das neue Dokument

    Application.OrganizerCopy _
        Destination:=ActiveDocument.FullName, _
        Source:=ActiveDocument.AttachedTemplate.FullName, _
        Name:="Modul_CD", _
        Object:=wdOrganizerObjectProjectItems
End Sub

Sub Titelgrafik_Loeschen()
'
' Makro aufgezeichnet am 30.07.2008 von Spengler.H
'
    If ActiveWindow.View.SplitSpecial <> wdPaneNone Then
        ActiveWindow.Panes(2).Close
    End If
    If ActiveWindow.ActivePane.View.Type = wdNormalView Or ActiveWindow. _
        ActivePane.View.Type = wdOutlineView Then
        ActiveWindow.ActivePane.View.Type = wdPrintView
    End If
    ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
    Selection.HeaderFooter.Shapes(1).Select
    Selection.ShapeRange.Delete
    ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
End Sub


Sub AlleFelderAktualisieren()
Dim rngDoc As Range
    Dim oDoc As Document
    Set oDoc = ActiveDocument
    For Each rngDoc In oDoc.StoryRanges
      rngDoc.Fields.Update
      While Not (rngDoc.NextStoryRange Is Nothing)
        Set rngDoc = rngDoc.NextStoryRange
        rngDoc.Fields.Update
     Wend
   Next rngDoc
End Sub

Sub TitelEinfuegen()
    
    With Dialogs(wdDialogInsertPicture)
      If .Display = -1 Then
        Dim mypicture
        Set mypicture = ActiveDocument.Shapes.AddPicture(FileName:=.Name)
        
        mypicture.LockAspectRatio = msoFalse
        mypicture.WrapFormat.Type = 3
        mypicture.RelativeHorizontalPosition = wdRelativeHorizontalPositionPage
        mypicture.RelativeVerticalPosition = wdRelativeVerticalPositionPage
        mypicture.Top = CentimetersToPoints(0)
        mypicture.Left = CentimetersToPoints(0)
        mypicture.Width = CentimetersToPoints(21)
        mypicture.Height = CentimetersToPoints(29.7)

        mypicture.Select
        Selection.Cut
        
      End If
    End With
    
    ' Kopf-Fusszeile
    
    If ActiveWindow.View.SplitSpecial <> wdPaneNone Then
        ActiveWindow.Panes(2).Close
    End If
    If ActiveWindow.ActivePane.View.Type = wdNormalView Or ActiveWindow. _
        ActivePane.View.Type = wdOutlineView Or ActiveWindow.ActivePane.View.Type _
         = wdMasterView Then
        ActiveWindow.ActivePane.View.Type = wdPageView
    End If
    ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
    
' vorhandenes Titelbild löschen
    ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
    Selection.HeaderFooter.Shapes(1).Select
    Selection.ShapeRange.Delete
    
' neues Titelbild einfügen
    Selection.Paste
    Selection.ShapeRange.ZOrder msoSendToBack
    Selection.ShapeRange.ZOrder msoSendBehindText
    ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
    
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.