Office (OOXML) / .DOC malware analysis — malicious · 0f188a5741c7753b

MALICIOUS

Office (OOXML) / .DOC

33.9 KB Created: 2017-05-25 19:12:00 UTC Authoring application: Microsoft Macintosh Word 14.0000

MD5: 6a5c5c5325024b73fb6189ac0fd668d9 SHA-1: 0222c54bdf99491e82451c6d48bb5bb5233c9888 SHA-256: 0f188a5741c7753b90d4e51b6096541e018abfb3db33d502d718ccc29f89e98b

442 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute automatically upon opening, leveraging WScript.Shell and CreateObject to write and execute a decoded payload. The AutoOpen macro attempts to decode a Base64 string from the document's 'Comments' property and then executes it, either as a Windows executable or via Python on macOS. This indicates a downloader or dropper functionality.

Heuristics 10

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
ClamAV: Doc.Malware.Valyria-6728957-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6728957-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.motobit.com
- http://Motobit.cz
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/mac/office/2008/main
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `3fbc2ef94a618e17d5a6ba5af930717982f8239ff4eded5753681755be17f4ca`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2931 bytes
`vbaProject_00.bin` `635a875e3ae07b99a521c0222d87b4cab342ce6b00fdce8cbae6e5f81dd4492f`	vba-project	OOXML VBA project: word/vbaProject.bin	15872 bytes
Detection ClamAV: Doc.Malware.Valyria-6728957-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.