Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 162d5c50d029107c…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: cc23f328281e20b7e65f9dbd8f48c7e7 SHA-1: 44d8482b2da8e12215822ebdcffa67d2b7af5b07 SHA-256: 162d5c50d029107c7219f5ba72130f20c1ca3ea5e4213f7b3e295fb348955c3a
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references cmd.exe and PowerShell, suggesting it's designed to execute commands on the host system. The GetObject call and the presence of VBA macros strongly suggest a malicious intent, likely to download and execute a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f53ba3650df24408d01916fd75e0a71478d1eeeae629674a4ff002de4f015074		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
2ae083b8c7abedc8a802c595438acd5cf795fe2c06e55d176a1d29d6e2e4812f		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.