Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 dc425e93e83fe02d…

MALICIOUS

Office (OOXML) / .DOCX

38.6 KB Created: 2018-11-08 07:01:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 6b116d471a787eb520869ed5c6965fa8 SHA-1: ec4bd72fcb440f47912d06c75a9d56ad86953f70 SHA-256: dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OOXML document contains a VBA project with an AutoOpen macro, indicating it is designed to execute code automatically when opened. The presence of 'CreateObject' calls suggests the macro attempts to interact with the system or download additional payloads. No specific family could be identified, but the execution method is clear.

Heuristics 5

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
442c961dfded870f4b2f644ba59a19e70b6ee7a0153158ae2f52e6b8d76d1bed		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 904 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
ffea128aa0d9af70de3af980147d5e4986f765f5295f94d82cc081598726da47		 vba-project OOXML VBA project: word/vbaProject.bin 10752 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.