Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4aa59673b111f45f…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: a6c612339e60b9e9f81857958eb47f63 SHA-1: 8130fadda4b01dcb8e48329dd3e449ea8ebfcee2 SHA-256: 4aa59673b111f45f89c3d7018df5650fd66143020ba830495bf43837d8774466
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA macro itself appears to be a Base64 decoder, suggesting it's used to obfuscate and execute a payload. The primary purpose is likely to download and run a secondary malicious component.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4b324b030c6c8beccc9c461bb94082063554051c521df65bc27a15d2167fc62d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
a7b0987dbcbd1d182d36270e7e52b51c2388ec0700f3d57e1d82991742a6d929		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.