Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4870a0d89a7b3489…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: f23aec6f158472894ed3746a80c7e935 SHA-1: 77e1642569c4626a7464c0ae351a423635961217 SHA-256: 4870a0d89a7b3489b3f32105e082bf9e4a6a618791e99af365f6bdad01287aa3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_PS' indicates a PowerShell reference within the VBA macros, and high heuristics 'OLE_VBA_GETOBJ' and 'OLE_VBA_CMD' suggest the use of GetObject and cmd.exe. The VBA code itself contains obfuscated functions and string manipulation, typical of malware attempting to hide its execution flow. The primary function of this macro appears to be executing external commands, likely to download and run a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
311204edc081905be3835b631c93c93643629a5411cc249a14f3b41856ec3d75		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
ea7a5171be44ee13be9a4fd11554b98d989ab67d70db949ceb771a770df02fa1		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.