Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1959fd95ec98d303…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 6d1373cf7431a22049ae61a8900ebfd1 SHA-1: 197fc2d27a95815f3075504f93e329e63325616c SHA-256: 1959fd95ec98d303c5a2ed185e52978c838cf766a498614ae8f248b1cbbba116
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The OOXML file contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The script's functionality, including Base64 decoding, indicates it's likely preparing to download and execute a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d4733ca4a1931e92faa7dbe924c2af29cf9dfe3b3a2b1d850362e62c99a6db94		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
1c761bfdbce9c3f48dbff12c974331ef633b400ca8eea3b9c2433075d4a66ab9		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.