Office (OOXML) malware analysis — malicious · d6583986fc0285bf

MALICIOUS

Office (OOXML)

20.6 KB Created: 2021-07-11 09:14:00 UTC Authoring application: Microsoft Office Word 16.0000

MD5: a2da758479e932695aa08e36ce270965 SHA-1: 9d7bed6e9a066232bf7142afb4cc61879b066440 SHA-256: d6583986fc0285bf01497a8b4d8e183bc49f6c77ff8c33b03ac10ea09635ee3e

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros, specifically an AutoOpen macro, which is a common technique for malicious documents. The presence of the 'Valyria' ClamAV signature strongly indicates malicious intent. The VBA code includes API calls for process creation and manipulation, suggesting it's designed to download and execute a secondary payload.

Heuristics 5

ClamAV: Doc.Malware.Valyria-10015188-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-10015188-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2018/wordml/cex
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2018/wordml
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2e2cb9a694a94fba38f707ecf5ee8fa9f50764db19d624b5bf30a0383361c3f3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4401 bytes
`vbaProject_00.bin` `8808c45b80005d980ab16f5dd6166668618fc6f70eb9dd490ed163d3c86b3d94`	vba-project	OOXML VBA project: word/vbaProject.bin	21504 bytes
Detection ClamAV: Doc.Malware.Valyria-10015188-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.