Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 fd8bc5656d3be926…

MALICIOUS

Office (OOXML)

20.1 KB Created: 2021-07-25 23:24:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: d35b34e68850047b726ce490a61d37ab SHA-1: 68e080a64b2cc027c29035c0f08a2b695b1f7d10 SHA-256: fd8bc5656d3be9264df38f058b9a23dfb167eb9fbaa67e6879a2fbafe2617a79
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This OOXML document contains a VBA macro with an AutoOpen subroutine, a common technique for executing malicious code upon opening. The macro uses obfuscation to reassemble the string 'cmd.exe' and then calls the CreateProcessA API to execute it. This indicates the document is designed to download and execute a secondary payload, consistent with a macro-based downloader.

Heuristics 6

  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • ClamAV: Doc.Malware.Valyria-10012625-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10012625-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8100f626dea33ac2ab9429ddf4a26f13914c2c0aa316158a2c68a8fe5cc06ffe		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2052 bytes
vbaProject_00.bin
78d643f37b42fe890d30a94aa32fceca3430b67bb79c3ff70e7094ffbaa65c15		 vba-project OOXML VBA project: word/vbaProject.bin 19968 bytes
Detection
ClamAV: Doc.Malware.Valyria-10012625-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.