Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2c7c8f552ad48658…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 403db957658ecf6531b61af189daef80 SHA-1: 3ca51aed57153918ecf55d4f7f5770e3ae48f3e7 SHA-256: 2c7c8f552ad4865877659f318b2eb6bda3fc5a4f7c18fbd3e3093cc2de49d003
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The OOXML document contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The VBA code itself appears to be heavily obfuscated, making it difficult to determine the exact payload, but the overall pattern indicates a downloader or initial execution stage.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4551b0fe12727fc056f496ec919d142fcc6d3dad8795d47b8e5b1041f8b07412		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
0784a69a76ee683fb42f1d764fad605e503c7477f2d2979bb346937d354cef23		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.