Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 9ece8f2b95927ba1…

MALICIOUS

Office (OOXML) / .DOC

26.8 KB Created: 2020-10-14 18:34:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 4b7a5016555118a6613815cd1ad803a7 SHA-1: 71e0602c065e8fa94c5f6d1afeaabf51361430ed SHA-256: 9ece8f2b95927ba1e74055336adcb337115f604a7b9a667c7d65970892469ccd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file is an OOXML document identified as malicious. It contains VBA macros, specifically an AutoOpen macro, which is a common technique for executing malicious code automatically when the document is opened. The presence of the AutoOpen macro suggests the intent is to run arbitrary code, likely to download and execute a second-stage payload. No specific family could be identified, but the delivery mechanism is clear.

Heuristics 3

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c90ac2def3d05cb8b63596f71c9154b5168a0cc16da20aef425e1729b38ebe38		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7153 bytes
vbaProject_00.bin
3e158728df066d828187ab68a9cc2a27c1f863c79853315d8bd0d7a7775c9aa9		 vba-project OOXML VBA project: word/vbaProject.bin 41472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.