Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 520757da4210832d…

MALICIOUS

Office (OOXML) / .DOC

140.3 KB Created: 2021-01-27 17:21:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: a08ae234a3763451892bc1e36dee2b33 SHA-1: 563deb3afc4f28d9e1a4608da051fe5b006302f4 SHA-256: 520757da4210832d481a9e4428e5bca97ca1d1a56072b60ab73206947c42416f
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with a Document_Open macro. This macro utilizes CreateObject, a common technique for executing arbitrary code. The presence of the 'Doc.Downloader.BlueWord12211-9918950-0' ClamAV signature strongly suggests a downloader functionality. The embedded URL, though benign in reputation, is part of the document's structure and may have been used in conjunction with the macro to fetch additional malicious content.

Heuristics 6

  • ClamAV: Doc.Downloader.BlueWord12211-9918950-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.BlueWord12211-9918950-0
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
52a1fe8d1f44372134b47575f5a15cb6b0e178b406c4c0063800db4c135dbb60		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2265 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
b1a8c9207b9e5797be45ab96cc5549737b032f62ad3b1ed64cdd12d76eeb7cf2		 vba-project OOXML VBA project: word/vbaProject.bin 114176 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.