Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2f9cd07692c3d909…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 2288802b46059ff1fb96ecb3f8b6a8d9 SHA-1: 1a96ea04475ae61b78e80b9a0490ebe91497d042 SHA-256: 2f9cd07692c3d909af785a0253a21718eb0b702bb524c2425f2be9c4bd79149a
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject, suggesting it attempts to execute external commands. The VBA code itself appears to be heavily obfuscated, but its structure and the presence of these indicators strongly suggest it is designed to download and execute a secondary payload. The lack of specific IOCs like URLs or hashes means the exact payload cannot be determined from this sample alone.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b642d20a923f9a64b037104a1945eee05acebc43bd013d0eb00d196627a3886e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
2ed91ecf1aa99992158ecb0b1083ca6962d0e690520cea1b80e150751009d681		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.