Office (OLE) / .DOCX malware analysis — malicious · 6259b2a09c3a27eb

MALICIOUS

Office (OLE) / .DOCX

14.28 MB Created: 2022-02-08 14:46:00 Authoring application: Microsoft Office Word

MD5: b27b5a4544fff30533d7f02d00b8655b SHA-1: 66fe9e87f5ed915adac8630d6230becc50cfc9af SHA-256: 6259b2a09c3a27eb57013494d0a4f58c4595c73e941b915bd0d3382d0a1cc1d0

64 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file was detected by ClamAV as a Doc.Dropper.Downloader. The embedded VBA macro contains obfuscated code that, when deobfuscated, reveals a URL from which it likely downloads and executes a second-stage payload. The macro's intent is to facilitate the download and execution of further malicious content.

Heuristics 3

ClamAV: Doc.Dropper.Downloader-6398288-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Downloader-6398288-0
Scan did not complete info SCAN_INCOMPLETE

Office scanner subprocess failed (worker timed out); this file was not fully inspected. The result is not cached so a later submission will re-trigger the scan.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `858d3dc32a4fd7e883b99dddb4fade82d26f31cf8a35056f7d382ad2aaaec590`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8388608 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3938 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.