Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 5f848a7baf9305b0…

MALICIOUS

Office (OOXML) / .DOC

157.2 KB Created: 2021-02-22 19:48:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: a2b5abd3b75c3e230332c7c5c9e42117 SHA-1: 51f6019efc1cafb577696f4448767d7980136f75 SHA-256: 5f848a7baf9305b0b96f19471b68fee0052fe701f7a9d6d92a17c30fb258bff5
112 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The presence of an AutoOpen VBA macro and an external relationship heuristic indicates malicious intent. The VBA code uses wininet functions to interact with the network, suggesting it attempts to download and execute a second-stage payload. The external relationship points to a potentially malicious template file.

Heuristics 6

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: file:///C:\Program Files\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2a783798690a2c2824f1ca754efde0be6c1ccb65a5eea7814ac70c98c3c1772f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8311 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
vbaProject_00.bin
52387690d9d046dc68714a251e7cbbab2723d8d136a48943e7cf0254ddd5f5b0		 vba-project OOXML VBA project: word/vbaProject.bin 41472 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.