Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3c9b844486d4920e…

MALICIOUS

Office (OOXML)

41.7 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 212581c811e74808e78aa3cca275d075 SHA-1: e18ceb7a91b4b45d3b5e59eea8bae5ab5241f795 SHA-256: 3c9b844486d4920ed92127c5b32155f629fd1267647fb1e423abd5f13a3b0293
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA code itself appears to be heavily obfuscated, but its structure suggests it is designed to decode and execute commands. This is a common pattern for macro-based malware that downloads and runs additional stages.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fc2afb4a66e30e0035b50ca7295450b4e677f70d536a4da4dc98e92c925d77bf		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
97d712dffb0d1305abd19497d4569fcab2651f3c1cddac241fda64f5c7d61c33		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.