Malicious Office (OOXML) / .DOCM — malware analysis report

Static analysis result for SHA-256 18192d73262c70be…

MALICIOUS

Office (OOXML) / .DOCM

22.6 KB Created: 2022-11-27 08:20:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2023-01-28
MD5: 8f3adb3381bb7988e2868263f95bf462 SHA-1: 4be476d77ac8b38a5c3547c891e1f79a71c0626d SHA-256: 18192d73262c70be2f06e722443bd7e234161f563329d2bd499d1ebfdf5447b6
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

This OOXML document contains VBA macros, including AutoOpen and Workbook_Open, which are commonly used to initiate malicious execution upon opening. The extracted VBA script uses Windows API calls such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, indicating an attempt to allocate memory, write shellcode, and execute it, likely as a downloader for a second-stage payload. The ClamAV detection 'Doc.Malware.Valyria-10012625-0' further confirms its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Valyria-10012625-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10012625-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.microsoft.com/office/2019/extlst
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b55e7f7d9fb8b2c2acdb75483bdbde69d2acac69f338f3f8adaa7b524ece3394		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7899 bytes
vbaProject_00.bin
10718da394e510a386d30cc7f1b3713517529f312ed15f62931d045501e4a613		 vba-project OOXML VBA project: word/vbaProject.bin 22528 bytes
Detection
ClamAV: Doc.Malware.Valyria-10012625-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.