Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 f77205a9238a123b…

MALICIOUS

Office (OOXML) / .DOCX

129.3 KB
MD5: d6cf93b031f2e3b8758c41f5ce665a1f SHA-1: dd3040f2b246bf729de40573721442d8efd4e070 SHA-256: f77205a9238a123b74b764be6e2132777e1f3eda9c515f31219387c45629e3ea
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The OOXML file contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands upon opening the document. The presence of embedded OLE objects and the suspicious extracted artifact 'macros.bas' further support the malicious nature of the file, likely serving as a downloader or initial execution vector.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c1c18958f2c4c14996ae6b5f8c9e5e675046bf1691e213c01c5b81f04e13711d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3275 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ooxml_oleobject_00.bin
4f5b450af343d4405de13d65a3be4001df383dd7a82e66d36c7d18f9c93b2dbd		 ooxml-ole-object OOXML embedded OLE part: word\embeddings\oleObject3.bin 20708 bytes
ooxml_oleobject_01.bin
da757853f4940996087b6755dd65eba3c9c5bdce29deebf5ded92e752ab6896c		 ooxml-ole-object OOXML embedded OLE part: word\embeddings\oleObject1.bin 261842 bytes
vbaProject_00.bin
a4e458961c4617f05a6f63d01f99713f68b16b6ee96ac72ca8e1c82001779d89		 vba-project OOXML VBA project: word\vbaProject.bin 14848 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.