Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3778f74c85da5a6b…

MALICIOUS

Office (OOXML)

41.7 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 6368fc6c1b874ebe9e994694eeeca5b2 SHA-1: e869b10249480dc288c4e22e5cee926af3951da6 SHA-256: 3778f74c85da5a6bd4d376d438dc4c6856bce644a1df9ec2742b4e950b53304b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The OOXML file contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The VBA code includes a Base64 decoding function, which is commonly used to obfuscate malicious payloads.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1dd9b4eab62c8ec1659783b5b080cec06205b5a9aad11ae93d8e5fd0e0dc06e3		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
1ed983e9e2331c25e22c495d3265ea301cd0d34666a532b12e4a67f19d4a393b		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.