Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 096f50197861eb22…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: cbd3fdd41102588c6fd5ee013a921759 SHA-1: 17af1f4e1bc78e488c4aac426e460628d2fe279a SHA-256: 096f50197861eb223efc9ef994250d4c6a5a03220b0623ded336d77c21c037d1
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The Excel document contains VBA macros that reference cmd.exe and PowerShell. The presence of these commands suggests the macro is designed to execute external commands, likely for downloading and running a secondary payload. The GetObject call further indicates potential for object manipulation or execution of external code.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fd8ec19a7c6a60afe7db1d94bef697d7afb696909b3da7ba5259c87a402aed46		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
09ae74bff58a2e8461bb28ed1771f8379ed760a3b7a71db781479d652101c98b		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.