Office (OOXML) / .OLE malware analysis — malicious · 9b153e5e5d2b637d

MALICIOUS

Office (OOXML) / .OLE

90.9 KB Created: 2020-10-14 08:41:00 UTC Authoring application: Microsoft Office Word 16.0000

MD5: 78775daf988229ab17d40d2209046a7a SHA-1: 878097fa3131c2084fe032523f0f567f2ed30775 SHA-256: 9b153e5e5d2b637de5d6370dd3499207e7533e68af8bd77e5db8f9fd5b603e58

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a malicious OOXML document containing a VBA macro. The presence of an AutoOpen macro indicates that malicious code will execute automatically when the document is opened. The ClamAV detection and heuristic firings confirm its malicious nature as a dropper. No specific network IOCs or further payload details were extracted from this sample.

Heuristics 5

ClamAV: Doc.Dropper.Generic-9823779-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Generic-9823779-0
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2018/wordml/cex
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2018/wordml
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `946916bddf38e820a8e1f8b6af1682118709f7aa38e5a64996a8e2fe41357dd8`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	7172 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`vbaProject_00.bin` `a0990a6d68e2501c0027278d10f51a634b259eb5fa6f6ac8200c3393c2200ec0`	vba-project	OOXML VBA project: word/vbaProject.bin	37888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.