Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1a08c961f1b84cbd…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: ccfd06e1b62d662c54e5c0745c128b87 SHA-1: 3e4612c78f776903d827485d36af6d0b129489cc SHA-256: 1a08c961f1b84cbdcef840711d2b184ef2e637d1e8357449bd8e69f4910008d9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The file contains VBA macros that reference PowerShell and cmd.exe, indicating an attempt to execute commands. The presence of a GetObject call further suggests dynamic execution of code. The macro code itself is heavily obfuscated, making it difficult to determine the exact payload, but the overall pattern points to a downloader or initial execution stage.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0232ede8fa2417a81ff063c69cd34224c5a745a767bd1ca0f96b89d164ee2dd8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
036f5265d43d510fb7c869ce405fd9f49af5c9922298474c5989042cd11e19ce		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.