MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate or Obfuscate Malicious Files or Information
The sample contains VBA macros and presents itself as a document related to user account management and firm details, including phone numbers for help desks. The VBA macros likely execute code to download and execute a second-stage payload, as indicated by the CreateObject heuristic and the presence of embedded URLs. The callback phishing lure heuristic further suggests a social engineering attempt to trick the user into interacting with malicious infrastructure.
Heuristics 4
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.mercergimd.com/secure/manager/PeopleDetails.asp?1=37279&&3=172099&&R=secure
- https://www.mercergimd.com/secure/manager/PeopleDetails.asp?1=37279&&3=172100&&R=secure
- https://www.mercergimd.com/secure/manager/PeopleDetails.asp?1=37279&&3=99746&&R=secure
- https://www.mercergimd.com/secure/manager/PeopleDetails.asp?1=37279&&3=135870&&R=secure
- https://www.mercergimd.com/secure/manager/PeopleDetails.asp?1=37279&&3=105672&&R=secure
- https://www.mercergimd.com/secure/manager/PeopleDetails.asp?1=37279&&3=135795&&R=secure
- https://www.mercergimd.com/secure/manager/PeopleDetails.asp?1=37279&&3=135856&&R=secure
- https://www.mercergimd.com/secure/manager/PeopleDetails.asp?1=37279&&3=162784&&R=secure�
- https://www.mercergimd.com/secure/product/InvestmentProductAbout.asp?1=
- https://www.mercergimd.com/secure/product/ProcessStyle.asp?1=
- https://www.mercergimd.com/secure/product/StrategyDetails.asp?1=�
- https://www.mercergimd.com/secure/product/ProductAssets.asp?1=�
- https://www.mercergimd.com/secure/product/Performance.asp?1=�
- https://www.mercergimd.com/secure/product/Vehicles.asp?1=
- https://www.mercergimd.com/secure/manager/About.asp?1=�
- https://www.mercergimd.com/secure/asset/AssetsUnderManagement.asp?1=�
- https://www.mercergimd.com/secure/manager/FirmHistory.asp?1=�
- https://www.mercergimd.com/secure/manager/Owners.asp?1=
- https://www.mercergimd.com/secure/manager/Litigation.asp?1=
- https://www.mercergimd.com/secure/manager/EmpCompensation.asp?1=�
- https://www.mercergimd.com/secure/manager/RiskMgmt.asp?1=
- https://www.mercergimd.com/secure/manager/esg.asp?1=�
- https://www.mercergimd.com/secure/product/vehicledetails.asp?1=
- https://www.mercergimd.com/secure/product/vehiclefees.asp?1=�
- https://www.mercergimd.com/secure/manager/About.asp?1=
- https://www.mercergimd.com/secure/asset/AssetsUnderManagement.asp?1=
- https://www.mercergimd.com/secure/manager/FirmHistory.asp?1=
- https://www.mercergimd.com/secure/manager/EmpCompensation.asp?1=
- https://www.mercergimd.com/secure/manager/esg.asp?1=
- https://www.mercergimd.com/secure/product/StrategyDetails.asp?1=
- https://www.mercergimd.com/secure/product/ProductAssets.asp?1=
- https://www.mercergimd.com/secure/product/Performance.asp?1=
- https://www.mercergimd.com/secure/product/vehiclefees.asp?1=
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas1a61d6249f91802b0043f4f464214bcd40485f2f69e8b1817ed2e168773dffba |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8232 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.