Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3f2fa0bddc432592…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: cb55fdb7a261bf640821e96e3bc7ceea SHA-1: 8f8e005d64c1f0beb5057de46e807a17d08198f8 SHA-256: 3f2fa0bddc4325921add48d7bce8fe670248576ec06fe79350c5545e4fe54164
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The OOXML document contains VBA macros that reference cmd.exe and PowerShell. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The VBA code appears to be obfuscated, but the critical heuristic indicates a PowerShell reference, strongly suggesting the macro is designed to download and execute a secondary payload. The specific obfuscation technique used in the VBA macro is complex, making it difficult to reconstruct the exact command or URL without further analysis.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
41f45b445156c7bc7bfa8433382734a01db8dac3945b5c7c477617c0c282f467		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
e7888c296107c80c76d67d940c0619eba1da4de8c9368d121c04f1b3d8d9f701		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.