Malicious Office (OOXML) / .DOCM — malware analysis report

Static analysis result for SHA-256 e84b0cada4252297…

MALICIOUS

Office (OOXML) / .DOCM

139.6 KB Created: 2021-11-15 15:39:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 2631f9c6db603cace541a89c2bcca4b3 SHA-1: 7f516586a5fb5f65f1c2fd721cdad7c2bb498b36 SHA-256: e84b0cada4252297cc60e674f20f65afdbd949ed2c6897c61a7b6adfb1b7f6e8
382 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1059.003 Windows Command Shell

This DOCM file contains VBA macros that are automatically executed upon opening, indicated by the Document_Open macro firing. The script utilizes WScript.Shell to execute a command that reconstructs a URL, 'http://visteme.mxc/shop/wp-admin/PP/', and downloads a second-stage payload. The use of Shell() and CreateObject() functions further supports the malicious intent of executing arbitrary commands and downloading external content. The ClamAV detection also confirms the malicious nature of the file.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Doc.Malware.Valyria-10033907-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10033907-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d5a25b7bf0ccedb249c27ef36e62fa12ba8e2ff73f7114a3a1f9f528858c345b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3999 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
77b8e5da20fd616b56f24c7246353eed5933eaf42dc7f917f1d8cebba7b0e33e		 vba-project OOXML VBA project: word/vbaProject.bin 16896 bytes
Detection
ClamAV: Doc.Malware.Valyria-10033907-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.