Doc.Trojan.Maldade-10036492-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 b6c4fdc6dd62dc2f…

MALICIOUS

Office (OOXML)

18.0 KB Created: 2021-09-02 13:13:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-16
MD5: ec4f18e2c2045cf91c1d01ea92bd8ada SHA-1: f8512bf6728aeeb38928ee13198c3667381ba5cc SHA-256: b6c4fdc6dd62dc2f80b8bcb28a3a32508e9969ba754cad404f23556a7c5b4517
142 Risk Score

Malware Insights

Doc.Trojan.Maldade-10036492-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Maldade-10036492-0. Static analysis revealed the presence of VBA macros within the OOXML document, which is a common technique for executing malicious code. The extracted VBA macro, though simple, confirms the presence of executable code within the document.

Heuristics 3

  • ClamAV: Doc.Trojan.Maldade-10036492-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Maldade-10036492-0
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 82 bytes
SHA-256: 79196917f7163dcf0d890412429a260f10eda6e147fd7593eb1674a079adf6ef
Preview script
First 1,000 lines of the extracted script
Sub Hello()
Dim X
X=MsgBox("Hello VBS")

Sub Hello()
Dim X
X=MsgBox("Hello VBS")
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 24576 bytes
SHA-256: 3610c1d2b3fd6c8930f9a086db7958688a00209e33629385cdf66049db167153
Detection
ClamAV: Doc.Trojan.Maldade-10036492-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.