Office (OOXML) / .DOC malware analysis — malicious · 6da682d86a23652d

MALICIOUS

Office (OOXML) / .DOC

33.8 KB Created: 2017-05-25 19:12:00 UTC Authoring application: Microsoft Macintosh Word 14.0000

MD5: 19f2ac20ee9c94dd27861cbd65fdc669 SHA-1: a96d8d5c5dcdcdbcfc13f473b6dac9b8bd073224 SHA-256: 6da682d86a23652dc735e89b4c17ac6fe64d70d330b32a600f8be452d45bf919

442 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Reverse Engineer Malicious Software

The sample is a malicious Office document containing VBA macros. The AutoOpen macro attempts to decode a Base64 string from the document's 'Comments' property and then execute it. On Windows, it writes the decoded content to a temporary executable file and runs it using WScript.Shell. On macOS, it uses a system call to execute the decoded content via Python. The obfuscated shell command and the use of Base64 decoding indicate an attempt to hide the malicious payload.

Heuristics 10

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
ClamAV: Doc.Malware.Valyria-6728957-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6728957-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.motobit.com
- http://Motobit.cz
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/mac/office/2008/main
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `3fbc2ef94a618e17d5a6ba5af930717982f8239ff4eded5753681755be17f4ca`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2931 bytes
`vbaProject_00.bin` `635a875e3ae07b99a521c0222d87b4cab342ce6b00fdce8cbae6e5f81dd4492f`	vba-project	OOXML VBA project: word/vbaProject.bin	15872 bytes
Detection ClamAV: Doc.Malware.Valyria-6728957-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.