MALICIOUS
402
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is a malicious Office document containing an embedded executable and leveraging legacy WordBasic AutoOpen macros. Heuristics indicate the use of APIs like CreateProcess, VirtualAlloc, and WriteProcessMemory, suggesting the embedded executable is likely staged for execution. The presence of suspicious URLs further supports the hypothesis that this document acts as a downloader for a second-stage payload.
Heuristics 11
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly00006C59 648b5230 mov edx, dword ptr fs:[edx + 0x30] 00006C5D 2006 and byte ptr [esi], al 00006C5F 0c79 or al, 0x79 00006C61 1401 adc al, 1 00006C63 7228 jb 0x6c8d 00006C65 6a18 push 0x18 00006C67 59 pop ecx 00006C68 33ff xor edi, edi 00006C6A c8c0ac00 enter -0x5340, 0 00006C6E 3c61 cmp al, 0x61 00006C70 7c02 jl 0x6c74 00006C72 2c20 sub al, 0x20 00006C74 c1cf00 ror edi, 0 00006C77 0d03f8e2f0 or eax, 0xf0e2f803 00006C7C 81ff5b03bc4a cmp edi, 0x4abc035b 00006C82 6a8b push -0x75 00006C84 5a pop edx 00006C85 10981275dbee adc byte ptr [eax - 0x11248aee], bl 00006C8B c3 ret 00006C8C 058944241c add eax, 0x1c244489 00006C91 61 popal 00006C92 234455f0 and eax, dword ptr [ebp + edx*2 - 0x10] 00006C96 ec in al, dx 00006C97 51 push ecx 00006C98 53 push ebx 00006C99 1d565760cf sbb eax, 0xcf605756 00006C9E 7508 jne 0x6ca8 00006CA0 46 inc esi 00006CA1 7d0c jge 0x6caf 00006CA3 9a3dc94937d17c lcall 0x7cd1, 0x3749c93d 00006CAA 70db jo 0x6c87 00006CAC ac lodsb al, byte ptr [esi] 00006CAD 32c1 xor al, cl 00006CAF 398acd3aea01 cmp dword ptr [edx + 0x1ea3acd], ecx 00006CB5 d6 salc 00006CB6 b608 mov dh, 8 00006CB8 66 .byte 0x66
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://hadfanawass.com/sl/gate.php|http://rophenreswi.ru/sl/gate.php|http://mihesfitons.ru/sl/gate.� In document text (OLE body)
- https://krrewiaog3u4npcg.onion.to/sl/gate.phpIn document text (OLE body)
- http://api.ipify.orgIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0000624c.exe |
embedded-pe | Office MZ+PE at offset 0x624C | 145332 bytes |
SHA-256: b52d4956a00aa05ba67a6f0aeb693d68393ffebd97dc42df910cf777bccf89af |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_GETPROCADDRESS, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, GetProcAddress, OpenProcess, VirtualAlloc, VirtualAllocEx Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1523370679/Ole10Native | 115910 bytes |
SHA-256: fb813cf2a02654106f4191a8a56cac30ccdec4cdff488c6fbb79643853509be5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_GETPROCADDRESS, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, GetProcAddress, OpenProcess, VirtualAlloc, VirtualAllocEx
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.