MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros and exhibits heuristics indicating it's a downloader. The document body explicitly instructs the user to execute commands like 'rundll32.exe \11550.dll' and mentions 'Wscript.Shell', suggesting it's designed to download and execute a second-stage payload from one of the provided URLs. The ClamAV detection name 'Xls.Downloader.TrendMicroDridex0521-9860965-0' strongly suggests the Dridex family.
Heuristics 5
-
ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://damonica.com/webedit_includes/de/skins/default/m7OPEeyiZzqD.php In macro / runtime command snippet
- https://tafaghodi.ir/resume/files/OKBWIjkslY8bOV.phpIn document text (OOXML body / shared strings)
- https://website-demo.co.in/jthealthcare/wp-includes/css/dist/block-editor/KnSlPIeZi.phpIn document text (OOXML body / shared strings)
- https://radiouranio.com/player_radio/jquery.lightbox/js/lightbox/themes/zagDA4cqUZOj.phpIn document text (OOXML body / shared strings)
- https://hereweads.com/wp-content/plugins/woodmart-core/woodmart-core/importer/UZIk36xnY.phpIn document text (OOXML body / shared strings)
- https://kpleads.com/kpleads.ali/wp/wp-includes/js/codemirror/FA0MND35N.phpIn document text (OOXML body / shared strings)
- https://loveworldprograms.org/videos/fontawesome/css/FHK2joBPEd.phpIn document text (OOXML body / shared strings)
- https://momentsjo.com/COPYRIGHT/fUK6TkrF5j2dFc.phpIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 674 bytes |
SHA-256: 5e4b19e4e9de09c462ab65f16c272f5f34734be07861863f881268efc4517720 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "현재_통합_문서"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub function1()
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 10240 bytes |
SHA-256: 8681dc474ff6de43490ca1c907f015666ceffbde9ec6e11c8ef8fc8aa23809cd |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.