Office (OOXML) malware analysis — malicious · 1ff6356b078b6ab8

MALICIOUS

Office (OOXML)

42.1 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: 320672c0693e652b79ea13588e8f6f3a SHA-1: 88497d36629dd266814afb9db2948660745b8f43 SHA-256: 1ff6356b078b6ab8acbe70c867f9024c09eaf7728ec1387eb21307975d747c36

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

This Excel document contains a Workbook_Open macro that references PowerShell and cmd.exe. The macro also uses GetObject to launch a Win32_Process, indicating it's designed to execute commands. The presence of a Workbook_Open macro and the execution of PowerShell strongly suggest this file is a malicious attachment intended to download and execute a secondary payload.

Heuristics 6

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `562b884fe1e5c3d0f44ee8a2b361bfff8cd8a92b2478ff95f45bf42a96a31c7c`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	36226 bytes
`vbaProject_00.bin` `e8c2fb9ab853dbfbbe908b2af0f9e00b07e56d381609700a2c28a20cf5366bf2`	vba-project	OOXML VBA project: xl/vbaProject.bin	11776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.