Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 28e1d9411e3c3e84…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 18181a548c96e9f96736b3e74c9c396f SHA-1: 774fb698aedf02bb7bbabcc01fbd16074355f98d SHA-256: 28e1d9411e3c3e842998bb7dd44b2f6f7625374b4987dbe5ad63f2720355b2a2
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The OOXML document contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of obfuscated VBA code suggest an attempt to execute arbitrary commands. The primary function of the VBA appears to be decoding and executing a Base64 encoded string, which is likely a second-stage payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ef32d27bdb6d57785c23530caa64f1bdae59efc96b4b72ec086e7bcc25272ad2		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
ba593d9f74651e310a3231e84b601594b03e0fb257297276ff6166fd8ccb9f38		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.