Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1d5396558ff060ff…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: f7a27b49c56ddb207956f2182691f3ca SHA-1: e21d004b971523d4d9f4a62ffef17ece2e57e56c SHA-256: 1d5396558ff060ff65fb2750744a071988670e3f80c088efa8a0b2fdd4e40af9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is an Office document containing VBA macros. Heuristics indicate references to cmd.exe and PowerShell within the VBA code, along with a GetObject call. This strongly suggests the macro is designed to execute arbitrary commands or download and run further malicious payloads. The Base64 decoding function present in the script further supports the idea of obfuscated malicious code execution.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b2d3ad1129c1513913b488c1902bace194f85a40bdd2b7898547a45cbeecfb30		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
11102272a3fa317179a65a11bf134c08f0d8bc532fc7c61c7d72f3acdc6c5f01		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.