Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 d98270a5b134ece0…

MALICIOUS

Office (OOXML) / .DOC

3.25 MB Created: 2022-08-15 02:01:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2022-08-15
MD5: 91b066f33f508ab4d3ba9bada41b0f55 SHA-1: 000c8f4decf6cf18db53211420a7636bbbea6d5f SHA-256: d98270a5b134ece0839044be9d7779e43a1ba45a446a477106c2ab1261b3c04d
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file contains a VBA project with a renamed part, indicating an attempt to evade detection. The presence of a Document_Open macro and GetObject/CallByName calls suggests that obfuscated VBA code is executed upon opening the document. This code likely acts as a downloader for a secondary payload, as indicated by the ClamAV detection name 'Doc.Downloader'. The VBA code uses obfuscated function names and string concatenation, making precise analysis difficult, but the overall intent appears to be malicious payload delivery.

Heuristics 7

  • ClamAV: Doc.Downloader.9f7ec430680ff08e-OOXML-9981523-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.9f7ec430680ff08e-OOXML-9981523-0
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/fTtxJpbDoh.bin)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7a7f3a598d472aa4770f360205e70ed03cb3a2dec76a290e430128004a0418df		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 11880 bytes
vbaProject_00.bin
c2f9b00f7864f356ec2e553d7466958b021c6130664e7200ec383eed7923c0df		 vba-project OOXML VBA project: word/fTtxJpbDoh.bin 13824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.