Malicious Office (OOXML) / .DOCM — malware analysis report

Static analysis result for SHA-256 483ce500c97e69b9…

MALICIOUS

Office (OOXML) / .DOCM

3.43 MB Created: 2021-03-15 12:26:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: c1ca77af76d289e637bb390a3e1f234f SHA-1: 4a54ce8ccada2b538407fd251766b0cc1d6886be SHA-256: 483ce500c97e69b9937400f16c2cbf2cdd56017020051456efc24137f03f2579
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is a DOCM file containing VBA macros. The presence of a Document_Open macro, along with calls to Shell() and CreateObject(), indicates that the macros are designed to execute arbitrary commands. The reference to cmd.exe further supports this. The specific commands executed are not detailed in the provided evidence, but the intent is to run shell commands.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.micros
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b0a97cbd8d797eb2b8cd82db7296d5ef703e37ffe5673578e0cd2031387eeef2		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8388608 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
6ab809ae098647ff732337b9e1ea023fe321f7b599e5b188e1a944a6ba0682f7		 vba-project OOXML VBA project: word/vbaProject.bin 3873792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.