Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 b8756966cf478aa4…

MALICIOUS

Office (OOXML) / .DOC

618.8 KB Created: 2021-03-02 00:26:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 82b36c510877ca7a59d20415ff939e0e SHA-1: fad4080d60f4ed53c0fcbd0ec3005728cd99a909 SHA-256: b8756966cf478aa401a067f14eefb57f34eea127348973350b14b5b53e3eec4f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The OOXML document contains a VBA project with an AutoOpen macro, indicating that malicious code is intended to execute automatically when the document is opened. No specific family could be identified, and no external URLs or network indicators were extracted from the sample.

Heuristics 4

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a9b5c66963728565076fd56058a56d1bdd0c66e90ed934f57a36d655036e9f66		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4766 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
vbaProject_00.bin
9f66686b9f2622ea95f106362867a528fabd6934fb1635850654812cd84167fa		 vba-project OOXML VBA project: word/vbaProject.bin 19456 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.