Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 44ffef0c4555fc80…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 45ccc78404848ab22784e17a13d4db95 SHA-1: 384f343a3051298c1c4275291e31f763f80c53f2 SHA-256: 44ffef0c4555fc8067d797dffce617d45c29937ba77c37500f0dee3505cc5bcf
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The OOXML file contains VBA macros that reference cmd.exe and PowerShell. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The script's functionality appears to be obfuscated, but the references to cmd.exe and PowerShell indicate a likely downloader or executioner of a second-stage payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3761a3eb3a32c7cfe22a3a97fc9759f761a922dd8c49d92f31e4295fbbd978a0		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
936a23827e9b98e1861d777197c116183b0bd50770fd85cfc1992efebfd42aa5		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.