Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2faacfff4b8e62a7…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 871e8c41e0452dfa44f394da49b091b6 SHA-1: 93c1de0c959e8a1e88bce79fed4b439f8796b1de SHA-256: 2faacfff4b8e62a7db8456e2c9ea845b58058b7e310acee47baba1c52201be5f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The OOXML document contains VBA macros that reference cmd.exe and PowerShell. The critical heuristic 'OLE_VBA_PS' indicates a PowerShell reference within the VBA, suggesting the macros are used to execute PowerShell commands. The 'GetObject' and 'cmd.exe' references further support the execution of external commands. The primary function of these macros appears to be downloading and executing a second-stage payload, though the specific URL or payload is not directly visible in the provided evidence.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
78723768e9e511336b9822ff8807c2f2b7ab014f2cbc0b9263020293e63a66fe		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
3cc09abac75305ad0b5330af4a62487e7d4eb3f6de077c60d8cdec7480e809fb		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.