Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 bea9bc4cc34e56e0…

MALICIOUS

Office (OLE) / .DOCX

300.5 KB Created: 2001-05-06 18:43:00 Authoring application: Microsoft Word 8.0
MD5: bb69325cb22022df6d4ff3404a46efce SHA-1: 50b6b84c5a8e1be9487ad61189484627495c7f47 SHA-256: bea9bc4cc34e56e0fd604101d866226d2e93aa7bd53fc8c70d23111234e8f01c
360 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1059.001 PowerShell

The sample contains VBA macros with AutoOpen, AutoClose, and AutoExec subroutines, indicating an attempt to execute code upon document interaction. The script explicitly calls the Shell() function and attempts to export and import VBA components, suggesting it aims to establish persistence by modifying the Normal.dot template. The comment 'Cross.Poppy Word Component' and the mention of 'SexR-1 and Detox' hint at a known malware family, but without further IOCs, attribution remains uncertain. The script also attempts to find executables in the Office installation directory, likely for payload staging.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Trojan.Cross-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Cross-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
533c3547f2d08c62d1e32e9791505dad1abd1e91b11914f4bbdf6049f2e6ea65		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 473999 bytes
Detection
ClamAV: Doc.Trojan.Cross-1
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.