Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1b38e8acf1943ad4…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 2e2fc007f034109c52224c6bf2109276 SHA-1: 33e6e735e2faf890110f4d5357b83e19cbe67932 SHA-256: 1b38e8acf1943ad4be31dfee53c3d4d7077f00d4a84e4fc4716887662e0d5333
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references cmd.exe and PowerShell, suggesting it's designed to execute commands on the host system. The presence of a Base64 decoding function within the VBA code implies that malicious content is likely encoded and then executed, possibly to download and run a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c1495bbbc5de06a914dd6c35c9c07313f7f582b9075a68d3bdb4161777f864dc		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
2d99dd9dcb4d46e440d0d454abe37c0e1edac5a2feae6725e9246842973d1684		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.