Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 384d8a534dd6fff3…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: da09c0223e7fe74096d4b3af0ad685cc SHA-1: c9e848ade54e3f805deffb35c24c1bcf05eb9da8 SHA-256: 384d8a534dd6fff30afbed9d097f28303c0dc366cf43b962811abbf8d1d23b1a
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The OOXML file contains VBA macros that reference PowerShell and cmd.exe, indicating an attempt to execute external commands. The GetObject call further suggests the potential for object manipulation or execution of code. The primary function of the VBA macro appears to be the execution of a PowerShell command, likely for downloading and running a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f34b243cbb8e4f72af96161ad1c0cedd25e0ce0fa5bb4a53749bc62fe56f8c05		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
7617e3c3b8bf1c67fe2f44be7dc96f0ded29b0a212130d9e270f54f2d6746162		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.