Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 e9d102433d9b8c15…

MALICIOUS

Office (OOXML) / .DOC

1.04 MB Created: 2022-07-05 08:08:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-07-18
MD5: adff54937004b31bd45af88c2d8f55da SHA-1: 737aab4a5da9a4b931f7fa737336b62b12337928 SHA-256: e9d102433d9b8c15546c66f753220094efbdb9ad74f352510271ffc132d8ce03
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing VBA macros, specifically triggering AutoOpen and Workbook_Open heuristics, indicating it's designed to execute code upon opening. The critical ClamAV detection further confirms its malicious nature. The VBA script appears to be a downloader, likely responsible for fetching and executing a secondary payload, though the exact download URL is not directly visible in the provided script excerpt.

Heuristics 7

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
52c073ebdb0621a21fb3e4277785af348d50b5937268dd9d2f7fa1323d1c30c0		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3316870 bytes
vbaProject_00.bin
b830731f2ef7fadc191f9f30411489c8be27896dbb738a593fd90d5e24addbcd		 vba-project OOXML VBA project: word/vbaProject.bin 3244544 bytes
Detection
ClamAV: Doc.Downloader.Generic-6698421-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.