Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 5c89cd7df8d50da7…

MALICIOUS

Office (OOXML) / .DOC

70.3 KB Created: 2020-09-14 13:59:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 25bf1f7d262af3411cd5f51507b82da6 SHA-1: eb4cb096af3276d02a8005460ff5a2aedf8a7f18 SHA-256: 5c89cd7df8d50da7bac65f5eac60deeb668a41604c209e68902e90c8447efd98
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros, specifically an AutoOpen macro that calls the Shell() function. This indicates the document is designed to execute arbitrary code upon opening. The presence of the ClamAV detection 'Doc.Downloader.835b97208387fc57-OOXML-9981517-0' further supports its malicious nature as a downloader. The VBA code itself is heavily obfuscated, but the AutoOpen and Shell() calls are clear indicators of malicious intent to download and execute a secondary payload.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Downloader.835b97208387fc57-OOXML-9981517-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.835b97208387fc57-OOXML-9981517-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocThisDocument
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl0M
    • http://www.microsoft.com/pki/mscorp/cps0

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
37255d1940c4a9d9d87e75b656221efc605a07518aa36e3f6e8a904231827109		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7041 bytes
vbaProject_00.bin
9266d00aecfdc45549ee8dd7cbc38fce5674061c90859aae6e8e36a6ed95f30d		 vba-project OOXML VBA project: word/vbaProject.bin 30208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.