Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 35efc1a4484801b7…

MALICIOUS

Office (OOXML) / .DOC

205.2 KB Created: 2020-08-17 16:48:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: ecc3faa21de381fa75e6be6a4f719d4d SHA-1: 0bad96d6587806928f9e4ebd546f2a76d9f2ac4d SHA-256: 35efc1a4484801b7f80c526060f24ca86c24dd5af35d7b1c5bffa47f7229ca71
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of heuristics indicating visible LOLBin command execution and GetObject calls suggests the macro is designed to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature. While the specific family is not identifiable, the overall pattern points to a macro-based downloader.

Heuristics 8

  • ClamAV: Doc.Malware.Generickdz-9757254-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generickdz-9757254-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3dd6d2305a38bf211cbf549ac10eb1da73a2b9ea16532d214ccc37312ae13bc3		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 622 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
91d88aa7328b480a4f21e6313e086b2978712d33b1e5df723a73bb0382362d47		 vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
Detection
ClamAV: Doc.Malware.Generickdz-9757254-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.