Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 024c17064b95d6e0…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 54af7def553d3e53f8c3376205bbe84b SHA-1: 701f8a9478adcc6324ce6c888d3ea3075f1fd690 SHA-256: 024c17064b95d6e09ee8abc87ec5865a29189c1fd9abd2a77a78adb4907b7571
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses the GetObject function. The VBA code itself is heavily obfuscated, but its structure suggests it is designed to execute a PowerShell command. This points to a macro-based downloader pattern.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6b70574e522192f342c652a78d15dc970cc4d952b5cb87e51ccce69cddff789a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
0401b4adcc2d4e5dbed41f8aaf2a0cfc7d3e3c6438ae360a8c7f2fe6027de61d		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.