Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 40570d0e6e1cedd9…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: d8db3071773172968d34e1092df5c7fa SHA-1: 81b98e3816e0440c78369886c3814018b764774c SHA-256: 40570d0e6e1cedd96499db2414c2c797116d798402b962d748262e038715182a
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA macro appears to be obfuscated but likely decodes and executes a second-stage payload using these commands. The primary function of this macro is to facilitate the execution of further malicious code.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
10ac8f34370bea7a5e4ed135bf68d2a5c3691c9176b06cc5602bb751373d55d0		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
4aaac57b78c045391018f86b44641a52df33804240c4e6dc915336c2af8dd458		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.