Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 b277a824b2671f40…

MALICIOUS

Office (OOXML) / .DOC

89.2 KB Created: 2023-01-25 17:07:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-05-31
MD5: ffa2e6f6a7a8001f56c352df43af3fe5 SHA-1: 78a14c070f2efa0a22e08fd74b7947c2d8354641 SHA-256: b277a824b2671f40298ce03586a2ccc0fca2a081a66230c57a3060c2028f13ee
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The sample is an Office document containing VBA macros that are designed to be executed when the user enables them. The macro downloads content from 'http://luckyoilpk.com/vlan.html' and writes it to 'C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vlan.exe', likely to establish persistence and execute a second-stage payload. ClamAV detections confirm this is a known downloader.

Heuristics 6

  • ClamAV: Vbs.Downloader.CetaRAT-9992290-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Vbs.Downloader.CetaRAT-9992290-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://luckyoilpk.com/vlan.html
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
cb2a0f5d2b579e9e83a8fe0c48a14e20069353fb8660e569b73bd4d8781326d2		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1476 bytes
Detection
ClamAV: Vbs.Downloader.CetaRAT-9992290-0
Obfuscation or payload: unlikely
vbaProject_00.bin
395375e92da19248995e9a90f70856f803fea2a450b535ed37ba96bf0f431ca4		 vba-project OOXML VBA project: word/vbaProject.bin 10240 bytes
Detection
ClamAV: Vbs.Downloader.CetaRAT-9992290-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.