Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 ca7d0cd170dc3266…

MALICIOUS

Office (OOXML) / .DOC

55.7 KB Created: 2020-08-10 00:51:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: 9a59fc2435737333486d786264c40542 SHA-1: 19ccdcf1cdafdd248080f7a0b4a481057125ebdf SHA-256: ca7d0cd170dc326645352637b21087e96576f33aafebcb59cb3ea28952d7214d
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is a malicious OOXML document containing VBA macros. The presence of an AutoOpen macro and calls to Shell() and cmd.exe indicate that the VBA code is designed to execute arbitrary commands. This functionality is consistent with a dropper malware that downloads and executes a second-stage payload. No specific family could be identified, but the dropper behavior is clear.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Dropper.Generic-9823774-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Generic-9823774-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2b954092fbaa3710db6e69a5e7e0dc2c725f489fbd00d1c2269264eec6c7aafa		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1634 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
33db6dd173f20670497c041bdba4f2ed854048752d6077a9fdbc025348645091		 vba-project OOXML VBA project: word/vbaProject.bin 13312 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.