Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 296caab880fc879b…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3ff73fc2a49aa495b4cb69f9d8c8986f SHA-1: 5977ae1f95415686137224a4bc51fa9be3182fa8 SHA-256: 296caab880fc879b9dfd8282191b7a26ff7997c7e45336ed3f6a038804f98b45
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA code appears to be obfuscated and includes a Base64 decoding function, suggesting it's designed to download and execute a secondary payload. The primary attack pattern is likely spearphishing attachment, leading to macro execution.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8da2186f5846b3446a2bcaac5f3fc6db55ba87f4544303208d63b517891acc31		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
94cd875d15633258a7478c24f0437eebb991aa8dea760da3af0768124066509c		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.