Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 06902923594df175…

MALICIOUS

Office (OOXML) / .DOC

141.8 KB Created: 2021-04-16 07:10:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 09a7db371ef778fcd5ee8da574e1c66b SHA-1: 7e6411401322d8b0e0245dcaf9ffb0c1ec98f8eb SHA-256: 06902923594df175889a8d825a62449f1dac95a3126ec3d0c728ca095544ef7b
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1218 Signed Binary Proxy Execution T1105 Ingress Tool Transfer

The sample contains VBA macros that are automatically executed upon opening (AutoOpen heuristic). The script uses GetObject to call Win32_Process.Create, which is a common technique for executing arbitrary commands. The script reconstructs the command 'HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\}{c: \users\public\curtScorPpaws\ath.tcurtScorPpaws\etc\', suggesting it attempts to establish persistence or download a payload from a specific location. The presence of obfuscated code and the execution of external processes indicate a malicious intent to download and execute further stages.

Heuristics 7

  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
554d4bb393f1ad4800c793562173cc4d12495538c6f07fb8d85fb424ec8e96d8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6309 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
vbaProject_00.bin
4035ad6d3a725dacfd201d04613cf465f88bc334fe376fbd17c362a8386465c4		 vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.