Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1e987c4499e2b581…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 31bcc4428646e5c5729fd8996fac4412 SHA-1: 4fca5f65e058458fc90c1f2d2e6142c3672d6b02 SHA-256: 1e987c4499e2b5817e5ca8a502294cdab1fcd7029f64b03f50fa5257ec885201
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is an OOXML document containing VBA macros. Heuristics indicate references to cmd.exe and PowerShell within the VBA code, along with a GetObject call. This strongly suggests the macros are designed to execute arbitrary commands, likely to download and run a secondary payload. The Base64 decoding function present in the script further supports the idea of obfuscated malicious code execution.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bf4edbc0fb7bc74612239c636ea726b61ca7fe6a1a576fb240de97da3a9c02e6		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
dd64a1e7c6cd287ea604dca0cc071b88ffca9b32548f6c082352f260e153af49		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.