Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2599f64d66b2771f…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 15e726dce6703a9ad46b5c98b5271d2c SHA-1: d7e5f6429dc174e45564bcfb4b1a26a1e39ac810 SHA-256: 2599f64d66b2771f24d527dfee8e19b807508c93376cc98624d64dfdf3e24cbb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses the GetObject function. The VBA code appears to be obfuscated and includes a Base64 decoding function, suggesting it is used to download and execute a secondary payload. The primary technique observed is the use of Visual Basic for Application (VBA) to execute commands.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d02dedb64afac9cd3ed53b465a8bcd0d7f392f883f80c3502133ffeafa52a325		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
1b8eb3db7d2127c2bfac647b43701f6c2f05b93cda0e614ec4f1063e35f7a2d6		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.