Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 334efd5f76ab2563…

MALICIOUS

Office (OOXML) / .DOC

417.5 KB Created: 2020-03-11 13:24:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: 74f95849d8e2d98f204a89d8926bc976 SHA-1: 63a15225cc71c9873a782d8c5386680948adef94 SHA-256: 334efd5f76ab25639c505c7d382cb7a95e149e3ce13fbce4577a4faf6807eaa6
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is a malicious OOXML document detected by ClamAV as Doc.Dropper.Valyria-9768469-0. It contains a VBA project with an AutoOpen macro, indicating it's designed to execute automatically upon opening. The presence of VBA macros and the ClamAV detection strongly suggest the document's purpose is to act as a dropper for further malicious activity, likely involving downloading and executing additional payloads. No specific URLs or executable content were directly extracted, limiting the IOCs.

Heuristics 6

  • ClamAV: Doc.Dropper.Valyria-9768469-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-9768469-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3ecb8ee8c5a4e185d564ce087f6f7e551be937eb7da23c5bd59748c5adfe1408		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 210097 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 41 Chr/ChrW string-construction calls.
vbaProject_00.bin
cb852e3de766bc1b6e662cf8a7ffa00149be4afc081ee9c2f6581c174656bdc4		 vba-project OOXML VBA project: word/vbaProject.bin 704000 bytes
Detection
ClamAV: Doc.Dropper.Valyria-9768469-0
Obfuscation or payload: likely
Carved artifact contains 1588 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.