Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e5b384fcdedc837e…

MALICIOUS

Office (OLE) / .DOC

2.19 MB Created: 2025-07-17 22:50:00 Authoring application: Microsoft Office Word
MD5: 2b590cf1bdb3c71e0c076e32e97814a7 SHA-1: f7664903d0ee020065a79113d0e3d81a4f58b4f6 SHA-256: e5b384fcdedc837e8ecd1a06964e0c142ba2a7943eda20d6098ee618420dc230
500 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1055.012 Process Hollowing

The sample is a malicious OLE document containing a large VBA macro. Heuristics indicate the macro references CreateProcess, VirtualAlloc, WriteProcessMemory, LoadLibrary, and GetProcAddress APIs, suggesting process manipulation and execution of external code. Crucially, it also fires for PowerShell and cmd.exe references within the VBA, and ClamAV identifies it as 'Doc.Downloader.Pwshell-10001336-0'. This strongly suggests the VBA macro is designed to download and execute a second-stage payload using PowerShell.

Heuristics 13

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html�
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.html
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.html
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspx

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
318206da2ad520d98dfd5370b146d93c90e0949f196c37c0c65ea81dd2fec99c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 863195 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.