Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 1fb0e33404741615…

MALICIOUS

Office (OOXML) / .DOCX

119.0 KB Created: 2020-04-07 18:55:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: e5eb1df30dde9a9e6dd312d2ff1caaa7 SHA-1: 8cee178134917840069a5cd09e861eeec860de8d SHA-256: 1fb0e33404741615d9df2c6a07d4376beaf01e04de24572a627b6b48ad69ddba
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a DOCX document containing VBA macros, indicated by the OOXML_VBA heuristic. The presence of AutoOpen and Auto_Close macros, along with critical firings for Shell() calls and cmd.exe references, strongly suggests malicious intent. The ClamAV detection of 'Doc.Dropper.Agent-9750547-0' further confirms its malicious nature. The macros likely download and execute a second-stage payload via cmd.exe.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Dropper.Agent-9750547-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-9750547-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6a777abbae4f819a4de06d5b703cfffaf592f194936215f7fc55910c12ecd2a8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2486 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
77124e4d2e336b1d67b1c604da25259d398e6abd970b936b2a47afc3f3f38cc1		 vba-project OOXML VBA project: word/vbaProject.bin 88576 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.