Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 bc9028296e79ac08…

MALICIOUS

Office (OOXML) / .DOC

375.4 KB Created: 2021-03-03 22:26:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 494bc5dfb57dfa2e10e08b0be7bf60fd SHA-1: d46d1466f4b0a2bb3a1776f576bb04fdb2d35c53 SHA-256: bc9028296e79ac08c8116043a41d163268e9830fb7ed9c240fb3211409122ff4
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is a malicious OOXML document containing VBA macros, specifically a Document_Open macro that utilizes GetObject. The embedded script, though partially obfuscated, appears to be constructing and executing PowerShell commands to gather system information and potentially download further payloads. The presence of the Document_Open macro and the GetObject call strongly suggests an attempt to automatically execute malicious code upon opening the document.

Heuristics 4

  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3650cc4bec6809376ec087edee0edc3b67886a120d14eeacff3323f39447350b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3436 bytes
vbaProject_00.bin
847e61280c4eb18fa4db7b2ee50c66299850bf40677ff2882d938950f7a84c97		 vba-project OOXML VBA project: word/vbaProject.bin 18944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.