Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 0ec9f1dae01d3ef9…

MALICIOUS

Office (OOXML) / .DOC

78.9 KB Created: 2021-01-29 11:46:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 30b54b430267e10f67ed7ba05ec986e6 SHA-1: 39a078ec6940e907fbf6047e3ca697cc7b30c17f SHA-256: 0ec9f1dae01d3ef933499d859d0b168a4d61c90ee3db8c945c59ad47f0652827
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros with an AutoOpen subroutine that calls the Shell function, indicating it is designed to execute arbitrary code. The script attempts to download and execute a second-stage payload, evidenced by the obfuscated string constants and the use of the Shell function. The ClamAV detection name 'Doc.Downloader' further supports this assessment.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b6220120c47c2be5c2ad4ed8895c2b85fc0795075bc711a110c3c206b30e0ea7		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1923 bytes
vbaProject_00.bin
5d194e306fa00d964fc167092603c912b8e14a05ef725a946e52d57943e1617e		 vba-project OOXML VBA project: word/vbaProject.bin 39424 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.