Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 dffe3ec0026d00bf…

MALICIOUS

Office (OLE) / .DOC

83.5 KB Created: 2010-08-04 04:46:00 Authoring application: Microsoft Word 10.0 First seen: 2026-05-11
MD5: 9cdd8a11dc9e8d59e85ccba2c6b0d1d1 SHA-1: fb93a197c04e85d7143e7dcd35a8f4f07bcc1bfc SHA-256: dffe3ec0026d00bfb87f407f58d01976e341f81c068de0ca1094604bed27041d
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an OLE document with a high-severity heuristic firing for VBA p-code auto-execution via the Document_Open macro, indicating an attempt to run malicious code upon opening. Although VBA macros could not be extracted due to an unsupported format, the presence of the auto-execution token suggests the intent to execute a payload. Several suspicious URLs were also extracted from the document body, which may be related to the payload delivery.

Heuristics 4

  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA project contains no executable statements info 1 related finding OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.comi In document text (OLE body)
    • http://www.5iantlavalampft-com:office:smarttagskIn document text (OLE body)
    • http://www.5iamas-microsoft-com:office:smarttags8In document text (OLE body)
    • http://www.5iantlavalampft-com:office:smarttagsVIn document text (OLE body)
    • http://www.5iantlavalamp.com/_In document text (OLE body)
    • http://www.5iantlavalamp.com/In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.