Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 2bf76c78acc8d61b…

MALICIOUS

Office (OOXML) / .DOC

100.8 KB Created: 2021-04-28 05:02:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: fd22f2ada5eab57e5479668e6d215e74 SHA-1: cf1967d631401405db618e516131b04525c17d33 SHA-256: 2bf76c78acc8d61bdcee26e918d26f8c65d5e079b55fe25404234ad88d64ff0a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OOXML document contains VBA macros, specifically an AutoOpen macro, which is designed to execute automatically when the document is opened. The heuristics indicate the presence of a CreateObject call and a suspicious extracted artifact containing encoded blobs and script execution terms. This suggests the macro's purpose is to download and execute a second-stage payload from the identified unknown-reputation URL.

Heuristics 5

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://2000-duncan-stock.com/bijol/59366/mkH0NYI3UvTM3mko3xCCguQFwbBgb60C5cCszXyZukpX/gytkIvJoR2NXiR0t7dcWUMJOLOr2i0G7zAh1chA/irBnlcJCGHyAZg/uMDyVyjfo
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1864547e02d7675d57f2e2c89914ebbe521f8321c9e81800c383f5469660a34f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2968 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
d7471c3a1d7a2fa676358fbe522c42062e893f1ae4b35d3b2886303218ec010e		 vba-project OOXML VBA project: word/vbaProject.bin 26624 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.