Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4abdfd9f9f2157c3…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: b4700043c0124b9df035d227ab3bf933 SHA-1: 95c443dd14621185bc8bb583ba30a13a77b90537 SHA-256: 4abdfd9f9f2157c34aeef1851faf47ca2133cc4b10d4cc3e1e460797bac70609
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file contains VBA macros that reference PowerShell and cmd.exe, indicating an attempt to execute external commands. The presence of a GetObject call further suggests dynamic execution of code. The primary function of the VBA macro appears to be obfuscated execution of PowerShell commands, likely for downloading and executing a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
091093afd24cde11c35c0af07c56946cd75bc17aa5ec6122e6120a4e48d88f1a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
80032707aca7c03cd3f63954a736beac195b452a74b5cb2c650127c257bad962		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.