Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 230697a85c6055ae…

MALICIOUS

Office (OOXML)

60.9 KB Created: 2021-07-13 12:00:46 UTC Authoring application: Microsoft Excel 16.0300
MD5: fee81f1ed220c85facfc5c5e272b04a2 SHA-1: 101086cecfce88986f641fff547d9bd00ff098cf SHA-256: 230697a85c6055aef6310f5ac36721a0e4e2685a7dd2e28ade535e4a95732dd9
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample contains a Workbook_Open VBA macro that references PowerShell and cmd.exe, indicating it's designed to execute commands. The macro's title and comments suggest it implements a RunPE technique, likely downloading and executing a second-stage payload from a URL. The presence of VBA macros and the Workbook_Open event strongly suggest this is a malicious document delivered via spearphishing.

Heuristics 5

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/itm4n/VBA-RunPE
    • https://github.com/hasherezade/
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.html
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.html
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html�

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e496e6c986c647c1b0a499a2902f3d6776f78273e3a911b7252c04672aff3174		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 53681 bytes
vbaProject_00.bin
1074b791cf72d2b2b5fd0e557aef62eeb2c442b54b6cb8b7bb2e7ad93023a621		 vba-project OOXML VBA project: xl/vbaProject.bin 128512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.