Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1a00744c3704184e…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: adb698f7fb1b9ee8d7dd02a1a8f40a26 SHA-1: 451ce6ff059d43d5a8dc7dc7a3090ab62e008ff0 SHA-256: 1a00744c3704184e0985261f725415deb0d4f945a73a24792bf1f88aa11b02bb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The Excel document contains VBA macros that reference PowerShell and cmd.exe, indicating an attempt to execute arbitrary commands. The GetObject call further suggests the potential for object manipulation or execution. The presence of obfuscated VBA code, including a Base64 decoding function, points towards a downloader or droppper functionality, aiming to fetch and execute a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b7ba4c8f8bf3745a5b616a2cec24b4b4ea100eac40b96d7437989df0cc5e204f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
271b2522ec5c33d7ea1a2bbe807b890e3387bdd3489a85c2cef11e9f3cc4eeed		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.