Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 ebb7600ebb03d831…

MALICIOUS

Office (OLE) / .DOCX

188.5 KB Created: 2001-04-06 10:02:00 Authoring application: Microsoft Word 9.0
MD5: 3e468abf4dc82a51d290ceb92b6fda3e SHA-1: f0dbbd4c6e56b3099c715fe62ca0879a26deab6d SHA-256: ebb7600ebb03d831481fb8905141cac41bc25b9d5aef492f134cb481d3dda20c
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1505.003 Server Software Component: OLE T1204.002 Malicious File: User Execution: Malicious File

The sample contains VBA macros, specifically an AutoOpen macro, which is designed to execute automatically when the document is opened. The script attempts to create a file at 'c:\windows\system\SARC.dll' and save the current document as 'c:\windows\system\EXE Cuttor.doc'. It also attempts to copy the 'Module3' macro to 'Normal.dot'. This behavior is indicative of a downloader or dropper malware. The ClamAV detection 'Doc.Trojan.Cuttor-1' further supports the malicious nature of the file.

Heuristics 8

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Trojan.Cuttor-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Cuttor-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2c71bdc5884bdea5af2c395d970ccb81cdaa423ec09916e3eabfe02e04667e97		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 11594 bytes
Detection
ClamAV: Doc.Trojan.Cuttor-1
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin
0867a1853134f5b980288576dc975860f5066970bc44cc186611333171efae5f		 ole-package OLE Ole10Native stream: ObjectPool/_1053155439/Ole10Native 38308 bytes
ole10native_01.bin
9a7677895d9f1d869a93ae02c5694878cb0daa52f9bcea615a157fae9a4544ef		 ole-package OLE Ole10Native stream: ObjectPool/_1053159965/Ole10Native 52644 bytes
ole10native_02.bin
9bec50e4f528f9e357e2949fc011bdd418aed406ef81c21713472f90bfee7a15		 ole-package OLE Ole10Native stream: ObjectPool/_1053160635/Ole10Native 20196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.