Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 585823d78240de4f…

MALICIOUS

Office (OLE)

166.5 KB Created: 2016-04-28 08:33:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 9b117b9aac005a6fc047a214458e599d SHA-1: fe9ebb01e99ba191a4b736d17a45dcb783bf00d6 SHA-256: 585823d78240de4f41a50541f7d58b412958dff1c22025302f8487cb4aec7544
402 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Office document containing an embedded executable and leveraging legacy WordBasic AutoOpen macros. Heuristics indicate the use of APIs like CreateProcess, VirtualAlloc, and WriteProcessMemory, suggesting the embedded executable is likely staged for execution. The presence of suspicious URLs further supports the hypothesis that this document acts as a downloader for a second-stage payload.

Heuristics 11

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00006C59  648b5230          mov edx, dword ptr fs:[edx + 0x30]
    00006C5D  2006              and byte ptr [esi], al
    00006C5F  0c79              or al, 0x79
    00006C61  1401              adc al, 1
    00006C63  7228              jb 0x6c8d
    00006C65  6a18              push 0x18
    00006C67  59                pop ecx
    00006C68  33ff              xor edi, edi
    00006C6A  c8c0ac00          enter -0x5340, 0
    00006C6E  3c61              cmp al, 0x61
    00006C70  7c02              jl 0x6c74
    00006C72  2c20              sub al, 0x20
    00006C74  c1cf00            ror edi, 0
    00006C77  0d03f8e2f0        or eax, 0xf0e2f803
    00006C7C  81ff5b03bc4a      cmp edi, 0x4abc035b
    00006C82  6a8b              push -0x75
    00006C84  5a                pop edx
    00006C85  10981275dbee      adc byte ptr [eax - 0x11248aee], bl
    00006C8B  c3                ret
    00006C8C  058944241c        add eax, 0x1c244489
    00006C91  61                popal
    00006C92  234455f0          and eax, dword ptr [ebp + edx*2 - 0x10]
    00006C96  ec                in al, dx
    00006C97  51                push ecx
    00006C98  53                push ebx
    00006C99  1d565760cf        sbb eax, 0xcf605756
    00006C9E  7508              jne 0x6ca8
    00006CA0  46                inc esi
    00006CA1  7d0c              jge 0x6caf
    00006CA3  9a3dc94937d17c    lcall 0x7cd1, 0x3749c93d
    00006CAA  70db              jo 0x6c87
    00006CAC  ac                lodsb al, byte ptr [esi]
    00006CAD  32c1              xor al, cl
    00006CAF  398acd3aea01      cmp dword ptr [edx + 0x1ea3acd], ecx
    00006CB5  d6                salc
    00006CB6  b608              mov dh, 8
    00006CB8  66                .byte 0x66
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hadfanawass.com/sl/gate.php|http://rophenreswi.ru/sl/gate.php|http://mihesfitons.ru/sl/gate.� In document text (OLE body)
    • https://krrewiaog3u4npcg.onion.to/sl/gate.phpIn document text (OLE body)
    • http://api.ipify.orgIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000624c.exe embedded-pe Office MZ+PE at offset 0x624C 145332 bytes
SHA-256: b52d4956a00aa05ba67a6f0aeb693d68393ffebd97dc42df910cf777bccf89af
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_GETPROCADDRESS, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, GetProcAddress, OpenProcess, VirtualAlloc, VirtualAllocEx Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1523370679/Ole10Native 115910 bytes
SHA-256: fb813cf2a02654106f4191a8a56cac30ccdec4cdff488c6fbb79643853509be5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_GETPROCADDRESS, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, GetProcAddress, OpenProcess, VirtualAlloc, VirtualAllocEx