Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 40424885c977031b…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0410ed8208cdc8a7b3d4a62ba73e6ebb SHA-1: 2b14c3b25119f40dc9dbec98ba334a72016ab639 SHA-256: 40424885c977031b4749b03b9e92b5c7c8d7cb804bfb106b48b37602cc55c7cb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references cmd.exe and PowerShell, suggesting it's designed to execute commands on the host system. The GetObject call further supports the likelihood of object instantiation for malicious purposes. The primary function of the VBA macro appears to be the execution of external commands, likely for downloading and running a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b52bb152609108bb4eccb2be338668df0ff29c665fac116926ec310d00c70fa4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
8448b3552429bed2bf6a89fbc0d3b63740a9104724c403ca3aaf5ff5ba862ae8		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.