Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0f754a268c1769eb…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 69f0318591269a3eb4049ee6b7321540 SHA-1: f1e02773ef90fe9a6beb2752acab8fcdb7b50403 SHA-256: 0f754a268c1769eb4ed2c2494f22755a1e6529878057deb4655c2f482e6e86e2
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an Office document containing VBA macros. Heuristics indicate the VBA code references cmd.exe and PowerShell, suggesting an attempt to execute arbitrary commands. The GetObject call further supports the possibility of object manipulation for malicious purposes. The VBA code itself appears to be obfuscated, but the presence of these indicators strongly suggests a downloader or dropper functionality.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
659462b6b3adf2e15285c5afac1913623af16c078196d82bd22760dce8d3379f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
568f5ce2d217238354e3d712c36b3346e07f609ff03ff7b26facbe02410bf082		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.