MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature Doc.Trojan.Maldade-10036492-0. Static analysis revealed the presence of VBA macros within the OOXML document, which is a common technique for executing malicious code. The extracted VBA macro, though simple, confirms the presence of executable code within the document.
Heuristics 3
-
ClamAV: Doc.Trojan.Maldade-10036492-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Maldade-10036492-0
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 82 bytes |
SHA-256: 79196917f7163dcf0d890412429a260f10eda6e147fd7593eb1674a079adf6ef |
|||
Preview scriptFirst 1,000 lines of the extracted script
Sub Hello()
Dim X
X=MsgBox("Hello VBS")
Sub Hello()
Dim X
X=MsgBox("Hello VBS")
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 24576 bytes |
SHA-256: 3610c1d2b3fd6c8930f9a086db7958688a00209e33629385cdf66049db167153 |
|||
|
Detection
ClamAV:
Doc.Trojan.Maldade-10036492-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.