Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5103226764d85ebb…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 5af60522e90725cbc781be04a304c532 SHA-1: 1ab7cc58f96595738b1232ae98aa0728b1dc1691 SHA-256: 5103226764d85ebbb4daf886769fe630eebbc7608f0e08fb657a5c2ff074a160
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1059.003 Windows Command Shell

The OOXML document contains VBA macros that reference PowerShell and cmd.exe. The GetObject call is also indicative of malicious activity. The VBA code appears to be obfuscated, but its intent is likely to download and execute a second-stage payload, leveraging the referenced scripting interpreters.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c98e3a8f329a7605d16f1a608bb12e1d400391a7bc514dd3b96b34bc2a6d8f34		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
0ebea589759c6c7b4ba007a3f0dbfbcbd250acfbfc670cdde7db9fff85a2b7db		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.