Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 4de0cdd480990aad…

MALICIOUS

Office (OOXML) / .DOC

143.0 KB Created: 2020-11-24 10:04:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 96d1a0a87b63e08f2b2299841cd0bf52 SHA-1: f89fd556d4bdfd8052e2a5c29164823ab79a6923 SHA-256: 4de0cdd480990aad05acf6c178e4711cd05bf0bc83b4c65fe0e0c0003832f5d6
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The presence of CreateObject calls and Environ() calls suggests the macro attempts to interact with the system and potentially download or execute additional content. ClamAV detection as 'Doc.Dropper.Generic' further supports its role as a dropper. The embedded URLs are likely part of the document's structure and not directly malicious, but the overall behavior points to a macro-based downloader.

Heuristics 7

  • ClamAV: Doc.Dropper.Generic-9823789-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Generic-9823789-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a5099d95751d0d35e2c596a55c3dcf3d4ed428f9d42692723202ac4f621688f8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 19968 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
ac5b4f947d8731bfd63b497721c818c70bc17981ff6a7d6518604b1abfc189e6		 vba-project OOXML VBA project: word/vbaProject.bin 62976 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.