Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4b14e62843d0aee1…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 7feeefc380a94cdb1c9b83e008637e1e SHA-1: 00a9a5719d965be33c49b83ce5958def30376031 SHA-256: 4b14e62843d0aee1c1670ebefa6eebbe7027233296d98cf31163bfbecafeb314
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an Excel document containing VBA macros. The macros reference PowerShell and cmd.exe, and use GetObject, indicating an attempt to execute external commands. The presence of a Decode64 function suggests obfuscated code, likely for downloading and executing a secondary payload. The specific VBA code is heavily obfuscated, making it difficult to determine the exact payload or destination.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d0ca2c1a4f6ae257855a349724e8f25fe8a558f4378c4e62b288a54e2c440d33		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
2861c7a73f863e8344178f037c8a7a8440dc720e9404b5541878970008732cb2		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.