Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 2dd8a579f3a678df…

MALICIOUS

Office (OOXML) / .DOC

23.6 KB Created: 2022-02-09 02:21:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 16cee13f05bc02b5d9ada5f7aade29ca SHA-1: 7e225616ee841c4f55665e9de229bdc83c26b151 SHA-256: 2dd8a579f3a678dfa889d074b7468212e493c3cd604757a66f94d181aa33e100
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an OOXML document with a Document_Open macro, which is a common technique for initial execution. The macro utilizes the Shell() function and references cmd.exe, indicating an intent to execute arbitrary commands. This strongly suggests the document is a loader for a second-stage payload, likely downloaded from an external source, although no specific URLs were extracted in this analysis. The VBA code itself appears to be largely functional, with helper functions for array dimension checking and data type validation, but the core malicious functionality is in the execution of cmd.exe.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.0.192/share/dung.txt
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b0ab7b9e4c9745c2e4877eec9d70fc065b7ac65b6345632a8ecbb24bb65b7e8d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8241 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
e88b6aeba54e187918dbc7c02d375cf9ad18be3c153156a88f837ca07f64633a		 vba-project OOXML VBA project: word/vbaProject.bin 27136 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.