Malicious Office (OOXML) / .DOCM — malware analysis report

Static analysis result for SHA-256 496b0b7f93a017b3…

MALICIOUS

Office (OOXML) / .DOCM

264.7 KB Created: 2022-03-11 01:50:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2022-05-23
MD5: ce02ee477e1188f0664dd65b17e83d11 SHA-1: c2b1c45b1b9219bf9e59c2708cd8ce3ae3ec9930 SHA-256: 496b0b7f93a017b3e7931feac5c9ac1741d5081cfabafe19c14593093fd58c19
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

This DOCM file contains VBA macros, specifically a Document_Open macro, which is a common technique for initiating malicious actions upon opening the document. The heuristics indicate the presence of obfuscated VBA code and a potentially suspicious extracted artifact. While the script is truncated, the presence of API calls related to file operations (CreateFileA, WriteFile, ReadFile, CloseHandle) suggests the macro is designed to download and execute a second-stage payload.

Heuristics 4

  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
72d4004b9a717ba6a2125355851de825fa535fb658d1a1e345b4e32e1ead0ccb		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6688 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 44 Chr/ChrW string-construction calls.
vbaProject_00.bin
919fe1e1cefcc241c1c1ff8863d792c43e24379e1180ca08b1b1d7773beb527f		 vba-project OOXML VBA project: word/vbaProject.bin 432640 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.