MALICIOUS
328
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
T1140 Deobfuscate/Decode Files or Information
The sample contains VBA macros, including a Document_Open auto-execution macro, which is indicative of a downloader. The presence of GetObject calls and references to WScript suggest the execution of external code. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document likely instructs the user to open a password-protected archive, a common tactic to bypass security scans. The extracted URLs are likely used to download a second-stage payload.
Heuristics 10
-
ClamAV: Doc.Downloader.ChristmasGift-9845923-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.ChristmasGift-9845923-0
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.prorish.com/wp-content/plugins/maintenance/includes/fonts/M8kiSjNOkR.php
- http://smileclothingofficial.com/AJEW0NzyHw48dR.php
- http://aswm.in/wp-includes/sodium_compat/namespaced/Core/ChaCha20/COjMXDyEWbDGui.php
- https://elitechauffeurservices.ro/wp-content/plugins/wordpress-seo/vendor/composer/Aa02pG3neWNo.php
- https://puchoff.com/C40/resource/dpr_2.0/content/dam/ofuhIB4wKU2.php
- https://straitofgaming.com/phpmyadmin/js/vendor/openlayers/img/Oj9a5ggSO8V4S.php
- https://samarth.group/hdisz7c/cache/J0CLLNQwA.php
- https://ntradrsventas.ga/wp-content/plugins/woocommerce/includes/abstracts/WYRmpQbadzXs.php
- http://healthdepartmentnews.com/wp-content/plugins/themify-builder/img/builder/SDenBnhVAc.php
- http://www.petro7.com.sa/focuson/wp-content/plugins/elementskit/compatibility/KaaNDKtIaX0sh.php
- http://schemas.openxmlformats.org/drawingml/2006/main
- http://www.w3.org/1999/XSL/Transform
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas89658d32bcaf474c8ea94e5b253e01d0142e5beae192efee5d83e50282d83508 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25587 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 125 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.