Malicious Office (OOXML) / .DOCM — malware analysis report

Static analysis result for SHA-256 e38c39e302de158d…

MALICIOUS

Office (OOXML) / .DOCM

4.56 MB First seen: 2023-10-09
MD5: 22ce9042f6f78202c6c346cef1b6e532 SHA-1: b67712125dce3f8b5d197fcc46aaf627da2fb7eb SHA-256: e38c39e302de158d22e8d0ba9cd6cc9368817bc611418a5777d00b90a9341404
288 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

This DOCM file contains obfuscated VBA macros designed to execute malicious code. The Document_Open macro is triggered upon opening, which then uses CreateObject to interact with the file system and potentially execute a payload. The script attempts to create a directory '%USERPROFILE%\Wrdix\', copy the current document into it, rename it to 'do_mc_xs.zip', and then extract its contents, likely to deploy a second-stage payload.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aeb3e66a27e89e45ca1cd935cb2e5f69ed9b99354bb888f00076018fa15c2d53		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3307 bytes
ooxml_oleobject_00.bin
ce556d55e07bf6b57e3e086e57e9c52552ac7f00adf4a7c9f99bbc21a5ac26c2		 ooxml-ole-object OOXML embedded OLE part: word\embeddings\oleObject1.bin 4772779 bytes
ooxml_oleobject_01.bin
858fa6814f8393cfaaee59ccf303cf26b18b3d7e8a2471785c733784083b602d		 ooxml-ole-object OOXML embedded OLE part: word\embeddings\oleObject3.bin 120679 bytes
vbaProject_00.bin
68ddd87b266da5bed0febeb30797df4488034896f89fa052c165c445d0fd6dbf		 vba-project OOXML VBA project: word\vbaProject.bin 16384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.