Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3d4b5d247dda83a2…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: f555933cfddeb28573f4022a5e4d8f49 SHA-1: 244fdd3beaffe7d6d93ed945e51985a85d939997 SHA-256: 3d4b5d247dda83a2d5420723465c06fcfee66b40bfaf3158c7eefa286359dde3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA code appears to be a Base64 decoder, suggesting it decodes and executes a payload. This is a common pattern for macro-based malware downloaders.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
eeee512aaad65833555b49a1dc920182ef43b53464d8a218aff2cca826421a0d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
1192b103f2c1d46dd99e6968c008336b7a8907ce1dc0e873139c0d309cd997ed		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.