Office (OOXML) / .DOCX malware analysis — malicious · 4d569f6ba4df6403

MALICIOUS

Office (OOXML) / .DOCX

136.3 KB Created: 2020-01-24 18:12:00 UTC Authoring application: Microsoft Office Word 16.0000

MD5: 19a23132102c2fe433739f33d35a48d6 SHA-1: 1e11cf1a022adcbee422504aa86984fbc066f6e3 SHA-256: 4d569f6ba4df6403f6ab2f7b4f679869e86665927f684d1bca67104f3ab7487b

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is a DOCX document containing VBA macros, specifically a Document_Open macro and a GetObject call, which are common indicators of malicious activity. ClamAV detections confirm this file is malicious. The presence of VBA macros suggests the document is designed to execute arbitrary code, likely to download and execute a second-stage payload.

Heuristics 6

ClamAV: Doc.Malware.Generic-7561115-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-7561115-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2018/wordml/cex
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2018/wordml
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2d88aceaeda9e6a169e3771c3f4beaa4acd18099617d450507f3dc641e23ce47`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	13281 bytes
`vbaProject_00.bin` `8c1b782d411a7b4e4d760a5eeeffaf0b56ea41a2cdd45705833f1026fba12949`	vba-project	OOXML VBA project: word/vbaProject.bin	112640 bytes
Detection ClamAV: Doc.Malware.Generic-7561115-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.