Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 fca1f2a7dec31765…

MALICIOUS

Office (OOXML) / .DOC

34.4 KB Created: 2021-03-02 07:21:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: dd0d067af212829f41ad9827a7687f6d SHA-1: 516f6024a40816c70fbdf304560b404162610b94 SHA-256: fca1f2a7dec31765986014901c1ab26ee2490e00f27cb9e9390bed61cd0e0bfe
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an OOXML document containing VBA macros, specifically triggering a Document_Open macro. The presence of a GetObject call and the embedded script suggest the macro is intended to download and execute a second-stage payload. The script content, though partially obfuscated, indicates it attempts to gather system information and potentially execute commands. The confidence is high due to the direct detection of macro execution capabilities.

Heuristics 4

  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fc67ea11ed08e271e8e64279c3d817684923d21aa2ea6b9a1818fcccc46a7704		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3456 bytes
vbaProject_00.bin
be94c581f7a4aa9c7d411519cdbc6e6631a81359645da5940ab0c2620cc354d1		 vba-project OOXML VBA project: word/vbaProject.bin 18944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.