Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 00285cfffcd6fee7…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: f13831ae793b2c6829da45b9c531c2d7 SHA-1: 964d6e3397849f68cc1448fbade3a6d317afea65 SHA-256: 00285cfffcd6fee7b3fd2f9c1f79afd1e1593c864423c58eafd4cf710029974c
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA code itself appears to be obfuscated, but the presence of these indicators strongly suggests it's designed to download and execute a secondary payload. The primary attack vector is likely spearphishing.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1415d4f7d46e4e149b56bcf5d67cb8d7382e3c9ae92c2fae38a8fa83006a57f9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
5e19d3aa1cbd41a7cd9ac7b6adfefc70877519a7ebda1b9800e21fdea9b15397		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.