We are given the file with the Sha256 hash: 9887f1e95b4e11825941bd207400d1cc1580a7d438969f6c8d8c656551d339e2, upon executing the file command in a
bash shell we get the following output:
$ file Downloads/9887f1e95b4e11825941bd207400d1cc1580a7d438969f6c8d8c656551d339e2
Downloads/9887f1e95b4e11825941bd207400d1cc1580a7d438969f6c8d8c656551d339e2: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: shad, Template: Normal, Last Saved By: user1, Revision Number: 21, Name of Creating Application: Microsoft Office Word, Total Editing Time: 25:00, Create Time/Date: Sun Mar 15 09:12:00 2015, Last Saved Time/Date: Fri Mar 20 09:02:00 2015, Number of Pages: 115, Number of Words: 77052, Number of Characters: 439202, Security: 0
From this we find out we are dealing with a malicious Word document. Since we are likely dealing with a MS Office Macro, the next step is to use olevba
from oletools to extract the VBA code and deobfuscate it, for this I used the following command:
$ olevba --decode --deobf ./file
From the output, we can tell some strings are slightly obfuscated, one out of those is noteworthy: http:// that is obfuscated as "h" + Chr(116) + Chr(116) + "p://", if we look for that string in the code we will see a couple of strings that, when concatenated, result in http[:]//savepic[.]su/5454016[.]jpg (note string is defanged with [.]). Looking further in the macro code we see the dropped JPG is saved in the TMP path as zoneflRfdfZKqMf.exe.