Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 2dc236bfbf03b29e…

MALICIOUS

Office (OOXML) / .DOC

17.6 KB Created: 2011-03-30 02:22:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 9ee9dacd6703c74e959a70a18ebb3875 SHA-1: 7d47038bfd277450c9907219aeb7f10eabaa348f SHA-256: 2dc236bfbf03b29eabb1fd454d95634bfaa1184bee74ebd268c1ccfc04c4b4e6
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OOXML document containing VBA macros, indicated by the 'OOXML_VBA' heuristic. The presence of an 'AutoOpen' macro suggests that malicious code will execute automatically when the document is opened. The 'GetObject' call is often used in conjunction with VBA to interact with the system or download additional payloads. No specific family could be identified, and no external IOCs were extracted.

Heuristics 4

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9c0eaeee3e17bc5d0617e35897cfaf7cb8d43d6c0ffe87b870514df3b1dd5176		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2989 bytes
vbaProject_00.bin
6da78dc7ddba3fde891e0dd0f2f60828db8ae1d3081aeab546eb4433097e03e9		 vba-project OOXML VBA project: word/vbaProject.bin 13824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.