Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3508edf8bcc5ea57…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: a55b487f36b90c05cb65f279fa7a161e SHA-1: 1082d4e73772b154065e794149b0dfa5e0ca3de1 SHA-256: 3508edf8bcc5ea57019b439fed08c27fd01b1d5b4e5772b49b4c92e3fa991976
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file contains VBA macros that reference cmd.exe and PowerShell, indicating an attempt to execute commands on the system. The GetObject call further suggests the potential for object manipulation or execution of external code. While the specific payload is not visible, the presence of these indicators strongly suggests the macro is designed to download and execute a second-stage malicious file.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c1598609dcf1b12d436afa03c10d3b95b9a2762e042171a518c8bcf4def6d5ff		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
80579663da53c8bc8815be74f5fc6de60f28981daef5c871d5e5fabb59102aef		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.