Office (OOXML) / .DOCM malware analysis — suspicious · 7bc840f3e200c5c8

SUSPICIOUS

Office (OOXML) / .DOCM

3.33 MB Created: 2021-03-15 12:26:00 UTC Authoring application: Microsoft Office Word 16.0000

MD5: b0527860dce067ded04f8ed8cf99b7c1 SHA-1: 4827966bf79e78991d8c1d94a1a2ff1d71ab371a SHA-256: 7bc840f3e200c5c877b411614a96a364f5402060db380a7691aeaabff18b602c

40 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a DOCM file containing VBA macros. The presence of a Document_Open macro and a Shell() call indicates that the macro is designed to execute commands upon opening. The script also contains functions to convert byte arrays to strings and read file content, suggesting it may be involved in downloading or processing a payload. The exact URL or payload is not directly visible due to obfuscation or truncation.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED

The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fa6f497a00731e54922c9c9dab48655ac508af4f78ab22bc7cb7e5edcaaa7235`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	8388608 bytes
`vbaProject_00.bin` `6fc57d83d87f077f0f1fc1b05bf07e5362942765f763649f54e7a019b7db6b7a`	vba-project	OOXML VBA project: word/vbaProject.bin	3781120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.