Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1eb2f73d6d63cfc9…

MALICIOUS

Office (OOXML)

41.7 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: c0b4da5b8a9f34fc310abe09e96cedf7 SHA-1: ca43e6c9ffe5489d1074120190af60c57fdbf4b5 SHA-256: 1eb2f73d6d63cfc9b4a8a166f31fd81de02dd33502f603048c8300d18699c72d
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Critical and high severity heuristics indicate the presence of PowerShell and cmd.exe references within the VBA code, along with a GetObject call. The VBA code appears to be obfuscated, but the presence of these elements strongly suggests it's designed to execute commands, likely for downloading and running a secondary payload. The Decode64 function suggests Base64 encoded content is being processed, which is a common technique for obfuscating malicious payloads.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ad0a1fc81975dc1bea3949f7e71f77d12f8f4a3f4e80459ffe94bc0b92a46376		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
49afe7351b8cb40575fe79d5fe7f47fd0788ddba8cbc3e3507a056e8b74c6882		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.