Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 35738e9712c4ad3e…

MALICIOUS

Office (OOXML) / .DOC

37.6 KB Created: 2021-12-16 08:57:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 96e58aad69e4842294b2c8758fb23548 SHA-1: 81291fb3f7dec56a85e89f41f13d80bddf097729 SHA-256: 35738e9712c4ad3e1804851657dabe750f59ce28b2f75d158936609e0e219bd1
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an OOXML document containing VBA macros, as indicated by the 'OOXML_VBA' heuristic. The ClamAV detection 'Doc.Downloader.BlueWord12210-9915312-0' strongly suggests malicious downloader functionality. The document body contains obfuscated text, which is likely intended to hide malicious content or scripts. No specific IOCs like URLs or hashes were extracted, but the presence of VBA macros and the ClamAV signature point to a downloader attempting to execute further stages.

Heuristics 3

  • ClamAV: Doc.Downloader.BlueWord12210-9915312-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.BlueWord12210-9915312-0
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/

Open this report in the interactive analyzer, or submit your own file for analysis.