Malicious Office (OOXML) / .DOCM — malware analysis report

Static analysis result for SHA-256 4719441998c6be7c…

MALICIOUS

Office (OOXML) / .DOCM

3.84 MB Created: 2022-06-22 16:30:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-06-22
MD5: 7766dd77f9dc97d1bd657fd269d5d78b SHA-1: cb7fdf089372a68ea9785c0d396158d97e5561ea SHA-256: 4719441998c6be7cf7df74db17758bd998c4834f3b5e6772bdb9cecd67c4de02
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a DOCM file containing VBA macros, specifically an AutoOpen macro that utilizes CreateObject. ClamAV identifies this as a dropper/downloader. Although the provided VBA script excerpts are truncated and do not contain direct download or execution logic, the presence of the AutoOpen macro and the ClamAV detection strongly suggest the intent is to download and execute a second-stage payload. The heuristics indicate a high likelihood of malicious VBA execution.

Heuristics 6

  • ClamAV: Doc.Dropper.Downloader-6398288-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Downloader-6398288-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
750d835536e2ca9f25c661385806d45865edce15b6e6c3ee97a396e2cc8f20cb		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8388608 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3886 long base64-like blob(s).
vbaProject_00.bin
b1c2321c6f12093f1f3bc03ba9cfd7ad2ad70308affe4aae7399bf476a22e8fe		 vba-project OOXML VBA project: word/vbaProject.bin 8388608 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3569 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.