Office (OOXML) / .DOCM malware analysis — suspicious · 71a8e488b3d142bf

SUSPICIOUS

Office (OOXML) / .DOCM

239.9 KB Created: 2021-05-25 12:09:00 UTC Authoring application: Microsoft Office Word 12.0000

MD5: cb27d0bd9a97e053f3fbfcf4bba8b8fc SHA-1: abc72dd17e19f06a3724faf5452bd25a42d0f7de SHA-256: 71a8e488b3d142bfdfcc4092ac35cf32e7d5e55b68acd262d16707f6a09f9321

40 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer T1053.005 Scheduled Task/Job: Scheduled Task T1053 Scheduled Task/Job T1204.002 Malicious File: User Execution

The sample contains a VBA macro that executes upon opening the document. This macro, GushaisafileLeadr, creates a directory '%ALLUSERSPROFILE%\Dklhyrdas\' and writes obfuscated byte data to a file named 'irvrmjavhica' within that directory. The script also uses CreateObject("Shell.Application") and appears to be preparing to execute further code, indicating a downloader or dropper functionality.

Heuristics 8

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED

The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `a4e3634036f6d179b1388d70184a8730ca7d2150df98f4f61f70e5e2f435c076`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4760 bytes
`vbaProject_00.bin` `68f1c125b7f1f6a44642d8cbc21932397458235c7c1ba6a8fd1c98a3752f5d99`	vba-project	OOXML VBA project: word/vbaProject.bin	941056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.