Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 5b060793de837f85…

MALICIOUS

Office (OOXML) / .DOC

23.1 KB Created: 2021-03-15 13:26:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2023-02-05
MD5: 21c8d2fda8aaafcfa692d1a67ffa8413 SHA-1: 763ea4b29bf96a1d1cdfdbacc47a5e63d9b4cb7c SHA-256: 5b060793de837f851f4f1140c1d83fa7eb51d6b3e5c24f215bf4a07b47c26b11
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell

The file is a malicious OOXML document containing a VBA macro. The 'Document_Open' macro is designed to execute automatically when the document is opened. It appears to attempt to copy itself to the NormalTemplate, potentially to establish persistence or to infect other documents. The ClamAV detection further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Macro.APMPKILL-6097118-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.APMPKILL-6097118-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ed8e1b2333282406faa2dfc8caae74cf5a799e7a9799d26c070206d32e7192dc		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1047 bytes
vbaProject_00.bin
772d91c9ddd7e8e6907c9b873df92a37ffb42da1989fec1c65ca922730682240		 vba-project OOXML VBA project: word/vbaProject.bin 12288 bytes
Detection
ClamAV: Doc.Macro.APMPKILL-6097118-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.