Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 39982ff25e3b42a9…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 2c35e1600cfe193020e7acf92ea43b9d SHA-1: 004196a4dff1e9b0e4abeb33e0b70b112362b522 SHA-256: 39982ff25e3b42a94df652fbe6d41954856165db09c70f9f407f3a471df9b9e8
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

This OOXML document contains VBA macros that reference PowerShell and cmd.exe, indicating an attempt to execute arbitrary commands. The GetObject call further suggests potential exploitation or dynamic execution of code. While the VBA code itself is heavily obfuscated, the presence of these references strongly implies a malicious intent to download and execute further payloads or establish persistence.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8e98fbfa2eb25383dc151d461c812c94c00fb17c1842445d9572fe7341b93fb3		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
9841e1501681260600c99e1d75b025fa5bed8aac589bdc7b3845a6b3babfe195		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.