Office (OOXML) malware analysis — malicious · 09faf115bb2bb23a

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: 400b4f7c3b5f2cd1e59bd993a27e5ce0 SHA-1: 79422c608090d9a0e5a27f34df00291d0134fd1a SHA-256: 09faf115bb2bb23a88f88b662c859133dc24a9c97f6081364cb9e0e31802271b

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_PS' indicates a PowerShell reference within the VBA macros, and 'OLE_VBA_CMD' shows a cmd.exe reference. The 'GetObject' call further suggests dynamic execution. These combined findings strongly imply the VBA code is designed to launch external processes, likely for downloading and executing additional malicious content. The presence of a VBA project within an OOXML file is a common delivery mechanism for macro-based malware.

Heuristics 4

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `1e140f00722d91bd7bbc8292de7cfac4368c1926a185bb92c963980e69889c0a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	34430 bytes
`vbaProject_00.bin` `ee7f6524dc542e8b4cbf172c5d5b54f01bbfe08ed22b7fc9054bb5ca2f89b72e`	vba-project	OOXML VBA project: xl/vbaProject.bin	11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.