Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 229979c8b88f82c8…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8ad34c52483f6b588cdaedf8f2ca29bc SHA-1: 2cb03ef903a2daaea45d57662a6ddb20c4ff3d68 SHA-256: 229979c8b88f82c8950bad6a32263a37eb5906a83df9def360967b6f25019aaa
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample is an Office document containing VBA macros. Heuristics indicate the macros reference PowerShell and cmd.exe, and use GetObject, suggesting an attempt to execute arbitrary code. The VBA code itself appears to be obfuscated Base64 decoding, likely intended to download and execute a second-stage payload. This points to a macro-based downloader, commonly delivered via spearphishing attachments.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aea3b60df10ee6e628d11440dd8868b05f755ce18f756ff6691ae21ffb48ae03		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
9f3d02167ffb152015849de04515837c574a126bd908a361e2c33bf85c360fef		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.