Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 407b0564b238270e…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: ad3caf378272a6c1368eadbd984fc180 SHA-1: 1f1ca5a1e4eb5230e21587e36bb72971dc99f1e3 SHA-256: 407b0564b238270e99804f2c32b3ca0a6afe00bb121f7ce258361d35590356d2
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject, suggesting it attempts to execute external commands. The presence of a large VBA macro file and a VBA project file are key indicators. The macro's Decode64 function is likely used to deobfuscate and execute a malicious payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1dd7ed3c1eb4c225a649b86b870546d9a92a96676e6742f33ee82c04aa2d17eb		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
3027d746be6f3cf249820ac8603c35453f0e4dd1118096d917aa8f3e206aaf0f		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.