Win.Trojan.Razy — Office (OLE) malware analysis

Static analysis result for SHA-256 844686768046be74…

MALICIOUS

Office (OLE)

950.5 KB Created: 2021-07-14 10:46:00
MD5: 2b0335d5f5ebaa57fad9997e1b8617e6 SHA-1: 53dc1baf7daf01ddd90959af4f5b0798c26d5b72 SHA-256: 844686768046be747157c2c54f023df742ef0b02094c23e591e9ee032af1ec63
602 Risk Score

Malware Insights

Win.Trojan.Razy · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample is identified as malicious by ClamAV with multiple signatures, including Win.Trojan.Razy. It contains VBA macros that leverage the `ShellExecuteA` API to execute commands. The `Document_Open` macro attempts to download and execute a DLL file named 'ier.dll' into the user's template path, indicating an Ingress Tool Transfer (T1105) attack pattern. The presence of embedded PE executables and the exploitation of CVE-2007-3899 further support the exploitation for client execution (T1203).

Heuristics 15

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Razy-9879269-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Razy-9879269-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
cd373730e402d9f03abae7f1bf19947d1010e6c9a796db35534731907f4e3852		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3215 bytes
embedded_office_0008ee6e.exe
510bb2f6448309f5122acb47d673a9a47748ef167a736b4b54d1238ee2691e43		 embedded-pe Office MZ+PE at offset 0x8EE6E 387986 bytes
Detection
ClamAV: Win.Packed.Zusy-9878765-0
Obfuscation or payload: unlikely
ole10native_00.bin
bdf4978babefb3e61bd2f7f93757b5577d47a5fff681c720c462378cf4051f66		 ole-package OLE Ole10Native stream: ObjectPool/_1687739748/Ole10Native 347436 bytes
Detection
ClamAV: Win.Trojan.Razy-9879269-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.