Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 ee25c4499e8a734a…

MALICIOUS

Office (OOXML) / .DOC

169.0 KB Created: 2021-04-28 05:29:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 6797b4414f66c60fb0df64e3af960e6e SHA-1: d247091ee13421e7d0c89d5ced7721cb8e452901 SHA-256: ee25c4499e8a734abb4b6ec069691c3df1b337510ccf59f648764ee846f8c63d
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The OOXML document contains VBA macros, specifically an AutoOpen macro, which is designed to execute automatically upon opening. The macro utilizes CreateObject to likely download and execute a second-stage payload from the provided URL. This indicates a downloader or droppper functionality.

Heuristics 5

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://goose-gaines2011.com/bijol/L4M7BiOSmEgyoAcnw5g38CvO28wl/rUDzPcv/laka13?46TmDE=a5vuzJ9&ref=xlAx8G8SVf9Nn7&cid=U1gBHO0O5XHzbG&ref=HQ1idua2YsJPcBo
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4f312dfe9c4b814d24d8e6fbd8f116a0f5da2018c944561ccddd6377f41f7493		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3005 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
ceb8f3f72c0b9f2b08351ac205a12f0045b6b6c95a400fe47f967e611a12ea17		 vba-project OOXML VBA project: word/vbaProject.bin 26624 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.