Office (OOXML) / .DOCM malware analysis — malicious · b6e5c0406badcddf

MALICIOUS

Office (OOXML) / .DOCM

4.75 MB Created: 2023-09-07 03:16:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-09-12

MD5: b390e6672f4d4f66f78bf3f3719dff20 SHA-1: 0da29451486a4472552ee2bb8cb00e9545416b4e SHA-256: b6e5c0406badcddf9a446933f51fddb70f6c2291fe08eb71d258d5457d67dbee

292 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The OOXML document contains a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro employs obfuscation techniques and uses CreateObject to instantiate COM classes, likely to download and execute a secondary payload. The presence of a large encoded blob and the overall structure suggest a downloader or initial access mechanism.

Heuristics 10

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA instantiates a COM class by raw CLSID high OLE_VBA_GETOBJECT_CLSID_EVASION

VBA uses GetObject("new:{CLSID}") to instantiate a COM class by raw CLSID rather than a CreateObject ProgID — an uncommon bypass of name-based macro detection.
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `23b61c9bd3aefe9bec4cbb4f88711b7ac95ded98cfb3bd73360f48bcde680e22`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4523506 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1985 long base64-like blob(s).
`vbaProject_00.bin` `4fb29f6da3ab4929b763b77112e256f852580d5b68cfa78628e533923635bd49`	vba-project	OOXML VBA project: word/vbaProject.bin	7983616 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2391 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.