Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 2ea61842af777d47…

MALICIOUS

Office (OOXML) / .DOC

138.7 KB Created: 2020-10-07 08:53:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 6415cace28b5e9dea0d17e32eefc2ed2 SHA-1: 84a48e317246af1d1c7e68741384465822fc4353 SHA-256: 2ea61842af777d477c077e7b8880d25e0c8f04f6f86dd8e61ea45a3f4165514a
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file contains VBA macros, including an AutoOpen macro, which is designed to execute automatically upon opening the document. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute arbitrary commands. ClamAV detected this as a generic dropper, suggesting its purpose is to download and execute a second-stage payload. No specific URLs or executable files were extracted, but the presence of the AutoOpen macro and Shell() call strongly suggests a malicious dropper.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Dropper.Generic-9823539-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Generic-9823539-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1d81d23ce9a1507c91a9a4e6ef13c46e13c70b26db1f8cf39ab8cf93601216a9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10298 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
2e17e3687e8b54eb003bbeb78ac1e07040e805412762ec360dff5a6f660e8ba2		 vba-project OOXML VBA project: word/vbaProject.bin 40448 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.