Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 34e08d5a8f5f80fe…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: a91b1295b06712a69db2cacb126f000d SHA-1: 42bc0ee98f36c2ec1ef96550859a11f9edc1d9fc SHA-256: 34e08d5a8f5f80fed84f1a47fd84d6a05bb0b063b50846ba199fddbccb27ac08
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The file is an OOXML document containing VBA macros. Heuristics indicate the presence of PowerShell and cmd.exe references within the VBA code, suggesting an attempt to execute arbitrary commands. The VBA code itself appears to be heavily obfuscated, but the presence of these references strongly implies a downloader or dropper functionality. The primary attack vector is likely spearphishing attachment.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b90c979feb45d322eac2e073dae284677943d7051fe1d270a13833655113faaa		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
661fecd9c7ca6ca4777ffc58c6880c80b5a555db845bf1c08efb8b95cf9ce6c4		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.