Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1f9941c00fa0bbb0…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 393717f5442bc669c693f24f989f880a SHA-1: 7ee93a9ef8bbfb3137b768936b50ece683e0f58f SHA-256: 1f9941c00fa0bbb0fc238a6452812e49ddabb83a3b72acb83b457af686cc9cd3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The file is an OOXML document containing VBA macros. Heuristics indicate the presence of PowerShell and cmd.exe references within the VBA code, suggesting an attempt to execute external commands. The VBA code itself appears to be heavily obfuscated, including a Base64 decoding function, which is commonly used to hide malicious payloads. The overall pattern suggests a macro-based downloader.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
350606e02c937d0fe2c58388a6b22e49c91c300166b88e015e45b1a532bbfc8f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
f7a84607f81e1116ac9e400724c959a150f17fef57b2172085fe41853130dfc1		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.