Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 82f6a3c51a93d604…

MALICIOUS

Office (OOXML) / .DOC

211.7 KB Created: 2026-04-14 08:12:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2026-04-15
MD5: a20ba154910598160b4efec822b10c19 SHA-1: 10217fa81b6c4ddfea15e2ef3ab7dbb870acc40d SHA-256: 82f6a3c51a93d604d30ca824c81cfca765d1c59f2df8705f132afc7874d84c41
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a Document_Open macro, which is a common technique for initiating malicious activity upon opening. The VBA script is heavily obfuscated but appears to construct a string that is likely a URL for downloading a secondary payload. The high-confidence heuristics for VBA macros and CreateObject calls further support this assessment. The script's intent is to download and execute a second-stage payload, typical of a downloader malware.

Heuristics 5

  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
360e002b9565fa94c5a8e357d76b83abc4f7d6b93b655e6681fbf95e5c20c10a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3716 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
fc0125b052427b508953cb5a2a195cde29926caef99a946304837bf1a75f43be		 vba-project OOXML VBA project: word/vbaProject.bin 15360 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.