Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 fc2a338268758175…

MALICIOUS

Office (OLE) / .DOC

88.5 KB Created: 2010-09-03 05:15:00 Authoring application: Microsoft Office Word First seen: 2026-05-11
MD5: dab18106e6cc9005f9d47756cc44ad0a SHA-1: 505c5cbf1c59a8e2fada43b86f28feadb7a39f34 SHA-256: fc2a3382687581754ea215d7ea50db219681b01a547e9df790e9475e07677eb8
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The file is a Microsoft Word document that contains VBA macros. A heuristic firing indicates that VBA p-code auto-execution is present with the 'Shell' execution token, suggesting an attempt to run arbitrary commands when the document is opened. No document body content or scripts were extracted to further clarify the intent, but the presence of auto-execution macros is highly suspicious.

Heuristics 4

  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA project contains no executable statements info 1 related finding OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)