MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically an AutoOpen macro, which is a common technique for malware delivery. The document body presents a list of adult-themed URLs with associated login credentials, suggesting a lure to trick users into visiting potentially malicious or scam websites. The presence of the 'Doc.Trojan.Chaos-2' ClamAV detection further confirms its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.Chaos-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Chaos-2
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.cyberclub.com/ignite/members
- http://hotbox.danni.com/hotbox/
- http://www.powerflow.com/members/135798642.html
- http://www.allasians1.com/membersonly/gallery/
- http://www.breathlessbabes.com/protected
- http://www.caughtceleb.com/cmlogin.html
- http://www.pornmountain.com/members
- http://www.sexillustrated.com/1stquarter/members2.htm
- http://www.redlight.com/members
- http://www.freeamsterdamsex.com/members
- http://www.itouchmyself.com/members/index.html
- http://www.dixiecam.com/members/
- http://www.itsreal.com/members
- http://www.111sexstreet.com/private/sex02.html
- http://teenlabs.com/reactor/reactor1.htm
- http://www.sweet18.com/home.html
- http://members.campusbabes.com/
- http://www.sextv.com/members/index.html
- http://www.smutheaven.com/m/members.html
- http://www.creamythighs.com/members/
- http://www.celebrity-hardcore.com/members/index.html
- http://www.dirtyonline.com/membersonly/
- http://www.sexpaige.com/members/mem_home.html
- http://members.sexy-photos.com
- http://www.cybersex.com/members/index.html
- http://members2.5starerotica.com/index.html
- http://www.virtualhardcore.com/pictures/index.html
- http://www.sexxx-drive.com/members/index.html
- http://www.sizzle.com/members/index.shtml
- http://www.lesbiansonly.com/members.htm
- http://members.maturewomen.com/
- http://www.sexualeuphoria.com/members/archives/index.html
- http://www.pureteens.com/members
- http://www.extremeadultsex.com/members
- http://www.sexroom.net/members/
- http://amazingonline.com/membersdox/
- http://www.venusonline.com/tricia/Members/index.htm
- http://www.chickflicks.com/m/members.html
- http://www.valuesex.com/valuesexmembers/main.html
- http://www.xxxensation.com/cgi-sec/xxxlogin
- http://www.kingporno.com/authorized/
- http://www.erotic-express.com/member/eng/
- http://www.sexualeuphoria.com/members/index.html
- http://members.celebs-n-models.net/babes/
- http://www.erosnet.com/home.html
- http://www.manhole.com/members/index.html
- http://www.cyberstrip.com/members/html/members.cfm
- http://www.corinadine.com/members/index.html
- http://www.Shockingpink.com/members/tina1.html
- http://www.adultpleasures.com/members/
+21 more URL(s)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas3eae9467b8d203816bb0ef3b971f80b74525a8fc1c54119cdee974282fddbc68 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3645 bytes |
|
Detection
ClamAV:
Doc.Trojan.Chaos-2
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.