Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0bf00b806683259d…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 54d88bdd7f994daf49655a850ce5ad8d SHA-1: 0536c9cba18ae720c0d0769f2b948c86f301b1cd SHA-256: 0bf00b806683259ddcd1995722ea6e5567927ace327fab3cd623e16185109756
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample is an OOXML document containing VBA macros. Heuristics indicate the presence of VBA macros, references to PowerShell, and calls to GetObject and cmd.exe. The VBA code appears to be obfuscated and includes a Base64 decoding function, suggesting it is used to download and execute a second-stage payload. The primary techniques observed are the use of PowerShell and cmd.exe for execution, and the overall delivery mechanism is likely spearphishing attachment.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
10c7b113494bbac803ce27efa214c41b8b415e39489e63518e23d3e24bfee232		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
56a1f722a420e30d1b26c6f6811048302a44c45e3f6b43af1d9aea75e6e71efd		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.