Office (OOXML) malware analysis — malicious · 4d0a10b61b497ad9

MALICIOUS

Office (OOXML)

42.0 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: 3d0b358a9fbfcf05d73ba8ebec7b9a37 SHA-1: 5b9a09abf1f0e820397e8f6e1f6a14ed78794a80 SHA-256: 4d0a10b61b497ad9c8e4883d76fbd1110da7333c0db3ea6a940bbfdc2af4a1b8

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.003 Windows Command Shell

The file contains a Workbook_Open macro that references PowerShell and cmd.exe, indicating an attempt to execute commands. The presence of a VBA WMI Win32_Process launcher heuristic further suggests the macro is designed to launch external processes. The macro also contains obfuscated Base64 decoding logic, likely used to conceal the actual payload or commands being executed.

Heuristics 6

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `4d9e536f038c4ded8016867427055d4f22d314cfee7aff27a2310fe5ba666a14`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	35878 bytes
`vbaProject_00.bin` `8596bc8bc1f5bfa29b486967e62e00df7e16c995202bacec45971c0a80e47885`	vba-project	OOXML VBA project: xl/vbaProject.bin	11776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.