Office (OOXML) / .DOCX malware analysis — malicious · b8e5e1c4efe88f24

MALICIOUS

Office (OOXML) / .DOCX

123.8 KB Created: 2020-01-24 17:55:00 UTC Authoring application: Microsoft Office Word 16.0000

MD5: 86e99e0626fd00ec6d7e1d3cc1b5776a SHA-1: 519f161dec84d06f2041754dcb1a04ef2cd01f8f SHA-256: b8e5e1c4efe88f24bdda679cfb0abe540819e25486a1d46982910adfee2caa96

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a Document_Open macro and a GetObject call strongly indicates that the VBA code within this OOXML document is intended to execute automatically when the document is opened. ClamAV detections further confirm the malicious nature of the file. No specific malware family could be identified, but the execution of embedded VBA macros is a common delivery method.

Heuristics 6

ClamAV: Doc.Malware.Generic-7561114-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-7561114-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2018/wordml/cex
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2018/wordml
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2e69eaa04feffbb73e98259741bf4755e343bdf74147fd3a247cee8f53495784`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	13241 bytes
`vbaProject_00.bin` `106eae77aeacfe4074a08429ba8085d0c13fd08596c1596e54ec6b8689605d33`	vba-project	OOXML VBA project: word/vbaProject.bin	114176 bytes
Detection ClamAV: Doc.Malware.Generic-7561114-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.