Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2468cbd5fa6698c3…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: a4863e2b3ba42c6023f84fa06141e1ac SHA-1: 46daa015fc6d0e789282415cb76af0e7d17c874e SHA-256: 2468cbd5fa6698c3e379bb8bf76253e6480f19874428f0262335a827f8abdf0e
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The OOXML document contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The VBA code includes a Base64 decoding function, indicating that it likely decodes and executes a malicious payload, possibly downloaded from a remote source.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6b06df9587d2fa3e9f1ed695a0aafb29a3bfc42902baf28faf1be0c168c414c1		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
db75e42e3bd08a8b656bb2dd5059affdabdcad695cc4005cdefb7e440cedc2f9		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.