Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 c94a871f160afd08…

MALICIOUS

Office (OLE) / .DOCX

55.0 KB Created: 2022-09-15 08:28:00 Authoring application: Microsoft Office Word
MD5: 9336c84d9d860aae3cf5e970043dbc3c SHA-1: 5e762e639478a920d9ea83b3dbbe45cf112c5619 SHA-256: c94a871f160afd085d95fd08ebd4d03e502be73776a175402ab4e6a85c006bd4
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is a malicious DOCX file containing VBA macros, including AutoOpen and Document_Open, which are commonly used to initiate malicious activity upon opening. Heuristics indicate the use of VirtualAlloc API, suggesting dynamic code execution. The ClamAV detection name 'Doc.Malware.Valyria-10001333-0' further confirms its malicious nature. The macros likely download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Malware.Valyria-10001333-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10001333-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/office/2006/documentManagement/types
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControls
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/internal/obd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9df005f9da877e2d1261f1b518b59b933869a545e7b229fbc56c7175329296b3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2461 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.