Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 451443de7297be5f…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: dac529704d1569ec4748ac91a9e3a055 SHA-1: 086bd4d891c50e31e28cfe38cbdd2b1dbc1f73ad SHA-256: 451443de7297be5ffef6763c171bfa035bfc229272d075a4785a6d6377c55f00
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The OOXML document contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of obfuscated VBA code suggest an attempt to download and execute a secondary payload. The specific obfuscation technique used in the VBA macro is complex, making it difficult to definitively determine the exact execution flow without further dynamic analysis.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ed93feb9ffd7409b026013b8bf50639661e1fe9858913245d0d244f3e47399c8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
fe3e3f7d5fe1b932501899abe71152d9cdc9d78ce277dec73e40ad5bcb7f09f6		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.