Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 007f7374fee16016…

MALICIOUS

Office (OLE) / .DOCX

41.5 KB Created: 2023-02-02 01:17:00 Authoring application: Microsoft Office Word
MD5: 063f3ce1426eebef7e9a5e2e2d35b1a1 SHA-1: e6ba4dc8af76e7a69924b7a09023a00119a92c62 SHA-256: 007f7374fee160160b7e232cda7697087260f8a22b09f0470c5b818e0b475885
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro within the Document_Open subroutine, which is designed to execute automatically when the document is opened. This macro attempts to overwrite itself with its own code and then save the document, likely to facilitate the execution of a malicious payload. The presence of the 'APMPKILL' comment and the heuristic firings strongly suggest malicious intent.

Heuristics 4

  • ClamAV: Doc.Macro.APMPKILL-6097118-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.APMPKILL-6097118-0
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f136142b40965ce41763caed3acb0ccab48ef04e860145c7f9d9ef01967df9ba		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1027 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.