Office (OLE) malware analysis — malicious · bc7efe242b999f73

MALICIOUS

Office (OLE)

6.35 MB Created: 2006-03-18 08:43:40 Authoring application: Microsoft Excel First seen: 2019-04-18

MD5: 87f9804162f88c07957770cd5a557025 SHA-1: 736673b638b0f0265e6148f4d16f77162dd345bb SHA-256: bc7efe242b999f739ca540bd00ee51d028b45930e909a3317ff156ca22e70d03

422 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is an Office document containing VBA macros and an embedded executable file. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the execution of malicious code. The embedded PE executable and the presence of VBA macros strongly indicate a malicious intent to download and execute a second-stage payload, likely via the embedded executable.

Heuristics 11

Legacy Flash object embedded in Office document high CVE related OFFICE_LEGACY_SWF_OBJECT

Office document embeds a ShockwaveFlash ActiveX object with a legacy SWF version (6). This is old Flash-in-Office exploit-family evidence, not a specific Flash CVE without SWF tag-level validation.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF

Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x07 bytes found

Disassembly

Attempted x86 opcode disassembly

000D5EB1  07                pop es
000D5EB2  07                pop es
000D5EB3  07                pop es
000D5EB4  07                pop es
000D5EB5  07                pop es
000D5EB6  07                pop es
000D5EB7  07                pop es
000D5EB8  07                pop es
000D5EB9  07                pop es
000D5EBA  07                pop es
000D5EBB  07                pop es
000D5EBC  07                pop es
000D5EBD  07                pop es
000D5EBE  07                pop es
000D5EBF  07                pop es
000D5EC0  07                pop es
000D5EC1  07                pop es
000D5EC2  07                pop es
000D5EC3  07                pop es
000D5EC4  07                pop es
000D5EC5  07                pop es
000D5EC6  07                pop es
000D5EC7  07                pop es
000D5EC8  07                pop es
000D5EC9  07                pop es
000D5ECA  07                pop es
000D5ECB  07                pop es
000D5ECC  07                pop es
000D5ECD  07                pop es
000D5ECE  07                pop es
000D5ECF  07                pop es
000D5ED0  07                pop es
000D5ED1  07                pop es
000D5ED2  07                pop es
000D5ED3  07                pop es
000D5ED4  07                pop es
000D5ED5  07                pop es
000D5ED6  07                pop es
000D5ED7  07                pop es
000D5ED8  07                pop es
000D5ED9  07                pop es
000D5EDA  07                pop es
000D5EDB  07                pop es
000D5EDC  07                pop es
000D5EDD  07                pop es
000D5EDE  07                pop es
000D5EDF  07                pop es
000D5EE0  07                pop es
000D5EE1  07                pop es
000D5EE2  07                pop es
000D5EE3  07                pop es
000D5EE4  07                pop es
000D5EE5  07                pop es
000D5EE6  07                pop es
000D5EE7  07                pop es
000D5EE8  07                pop es
000D5EE9  07                pop es
000D5EEA  07                pop es
000D5EEB  07                pop es
000D5EEC  07                pop es
000D5EED  07                pop es
000D5EEE  07                pop es
000D5EEF  07                pop es
000D5EF0  07                pop es
000D5EF1  07                pop es
000D5EF2  07                pop es
000D5EF3  07                pop es
000D5EF4  07                pop es
000D5EF5  07                pop es
000D5EF6  07                pop es
000D5EF7  07                pop es
000D5EF8  07                pop es
000D5EF9  07                pop es
000D5EFA  07                pop es
000D5EFB  07                pop es
000D5EFC  07                pop es
000D5EFD  07                pop es
000D5EFE  07                pop es
000D5EFF  07                pop es
000D5F00  07                pop es
000D5F01  07                pop es
000D5F02  07                pop es
000D5F03  07                pop es
000D5F04  07                pop es
000D5F05  07                pop es
000D5F06  07                pop es
000D5F07  07                pop es
000D5F08  07                pop es
000D5F09  07                pop es
000D5F0A  07                pop es
000D5F0B  07                pop es
000D5F0C  07                pop es
000D5F0D  07                pop es
000D5F0E  07                pop es
000D5F0F  07                pop es
000D5F10  07                pop es

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://publicaties.hbd.nl/bid/ In document text (OLE body)
- http://taekemdejong.nl/Publications/2009/Territory59.pdfIn document text (OLE body)
- http://taekemdejong.nl/In document text (OLE body)
- https://lab1.macromedia.com/cgi-bin/flashdownload.cgiIn document text (OLE body)
- https://www.macromedia.com/bin/flashdownload.cgiIn document text (OLE body)
- http://www.macromedia.com/support/flashplayer/sys/In document text (OLE body)
- http://team.bk.tudelft.nl/Publications/2007/Territory/TerritoryIn document text (OLE body)
- http://www.cbs.nl/infoserviceIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15516 bytes
SHA-256: `feed68b78e69aefcf624fd21e3dd5ccdf7a4308aa8bcdfd2e478067e89904a53`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Blad1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar3, 38, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar1, 37, 1, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 2, MSForms, ScrollBar" Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad19" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar2, 13, 2, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar1, 47, 3, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar3, 48, 4, MSForms, ScrollBar" Private Sub ScrollBar1_Change() End Sub Private Sub ScrollBar2_Change() End Sub Attribute VB_Name = "Blad13" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad9" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar2, 5, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar3, 6, 1, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar4, 7, 2, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar1, 8, 3, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar5, 9, 4, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar6, 10, 5, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar10, 184, 6, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar8, 180, 7, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar7, 181, 8, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar9, 183, 9, MSForms, ScrollBar" Private Sub ScrollBar1_Change() End Sub Attribute VB_Name = "Blad2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad6" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad8" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Private Sub ScrollBar1_Change() End Sub Attribute VB_Name = "Blad10" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad18" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad17" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad14" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad15" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad16" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 3, 1, MSForms, ScrollBar" Attribute VB_Name = "Blad20" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad7" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 47, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 49, 1, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar3, 50, 2, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar4, 51, 3, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar5, 52, 4, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar6, 53, 5, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar7, 55, 6, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar8, 56, 7, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar9, 57, 8, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar10, 58, 9, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar11, 59, 10, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar12, 60, 11, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar13, 61, 12, MSForms, ScrollBar" Private Sub ScrollBar1_Change() End Sub Private Sub ScrollBar12_Change() End Sub Attribute VB_Name = "Blad4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar4, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar5, 3, 1, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar6, 4, 2, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar7, 5, 3, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar1, 6, 4, MSForms, ScrollBar" Attribute VB_Name = "Blad12" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad21" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 1, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 2, 1, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar3, 3, 2, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar4, 4, 3, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar5, 5, 4, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar6, 6, 5, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar7, 7, 6, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar8, 8, 7, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar9, 9, 8, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar10, 10, 9, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar11, 11, 10, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar12, 12, 11, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar13, 13, 12, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar14, 14, 13, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar15, 15, 14, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar16, 16, 15, MSForms, ScrollBar" Attribute VB_Name = "Blad22" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad23" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad24" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad25" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 2, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar4, 3, 1, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 9, 2, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar3, 10, 3, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar5, 12, 4, MSForms, ScrollBar" Attribute VB_Name = "Blad26" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ScrollBar1, 3, 0, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar2, 4, 1, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar3, 5, 2, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar4, 6, 3, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar5, 7, 4, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar6, 8, 5, MSForms, ScrollBar" Attribute VB_Control = "ScrollBar7, 10, 6, MSForms, ScrollBar" Attribute VB_Name = "Blad33" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad28" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad29" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad30" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad31" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Blad32" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`embedded_office_00053a81.exe`	embedded-pe	Office MZ+PE at offset 0x53A81	6313855 bytes
SHA-256: `51216c176158c77072bc595fa495ae06bd2c36084c2a15c29a2d7bc46c06b26b`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x07, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, CreateProcessA
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD00080F22/Ole10Native	1054546 bytes
SHA-256: `2680adaddfd4753f084f3c08a3d337ba79acbc4b07e2d4541b89b07d2ca188be`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x07, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, CreateProcessA
`ole10native_01.bin`	ole-package	OLE Ole10Native stream: MBD0008263F/Ole10Native	5127 bytes
SHA-256: `e2da41d45aa15a8b328fc24820ffb2e55b97dd0e12b4579ed454a3761488b699`
`ole10native_03.bin`	ole-package	OLE Ole10Native stream: MBD0008F872/Ole10Native	18999 bytes
SHA-256: `45b9c89da802e7a02f8a892c28f03e0924cac756f1cdb71943d2aac1e131f571`
`ole10native_04.bin`	ole-package	OLE Ole10Native stream: MBD0008F873/Ole10Native	7676 bytes
SHA-256: `411ee602d6add866a09a06dd2dcc29107390bd57ec3f0fab75477134cd7de839`
`ole10native_05.bin`	ole-package	OLE Ole10Native stream: MBD0008F883/Ole10Native	7674 bytes
SHA-256: `d8ffef6866c0cc651cad261b38772cf6ab188fb82d631c899d5a57b1cfb0984a`
`ole10native_06.bin`	ole-package	OLE Ole10Native stream: MBD00175413/Ole10Native	200827 bytes
SHA-256: `f7fcffa022f2285ae71967536f5058369afe774323f5822ff73216e4a4305a6c`
`ole10native_07.bin`	ole-package	OLE Ole10Native stream: MBD00207FD9/Ole10Native	4311 bytes
SHA-256: `e9306ec43cf354c2421c8f675812f23630d6715db292f4e936cd404799c14a21`

Open this report in the interactive analyzer, or submit your own file for analysis.