Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 1c3355b153888bcf…

MALICIOUS

Office (OOXML) / .DOC

3.29 MB Created: 2022-07-20 12:06:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-07-20
MD5: b8b93c95d0db9ff7d97fe5aa773e27bc SHA-1: 194b03732e0af898152412ebc086dfe735429455 SHA-256: 1c3355b153888bcf34e419a5bd182ec901ad6a28f8285cdf3da1f74638617133
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.005 PowerShell T1059.001 PowerShell T1140 Deobfuscate or Obfuscate Malicious Code

The sample is an OOXML document containing a VBA macro that is renamed to evade detection. The macro includes an 'enable lure' heuristic, indicating it prompts the user to enable content. The VBA code reads reversed configuration from document properties, specifically 'DocumentProperties', and reconstructs a value using StrReverse. This suggests the macro is designed to download and execute a second-stage payload, likely using the reconstructed string as a URL or command. No specific malware family was identified.

Heuristics 7

  • OOXML part with non-standard content type and high-entropy data high OOXML_BOGUS_CUSTOM_PART
    The package declares a part with an invented content type (not an OpenXML/Office/standard media type) holding large, high-entropy (likely encrypted/packed) data. Legitimate OOXML files do not carry opaque binary blobs under custom content types; this is the embedded next-stage payload pattern used by loaders such as SVCReady.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA reads reversed config from document properties high OLE_VBA_REVERSED_DOCPROP_CONFIG
    VBA applies StrReverse to values read from the document's custom/built-in properties. Storing reversed configuration (URLs, CLSIDs, env-var names, payload names) in document properties keeps indicators out of the macro source — an obfuscation technique used by the SVCReady loader.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/YvLISfJOxf.bin)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.microsoft.com/office/2019/extlst
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4902b1a591d3aed6cfc1c1a642577aa38d4a98008b03a2fc9b1f53c7fe309fce		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2951 bytes
vbaProject_00.bin
6eda64def12543def7a600a57e1da86ae9ae6f8e9ed96731a5cb561a1ab9d3f8		 vba-project OOXML VBA project: word/YvLISfJOxf.bin 8192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.