Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 593e1deb2f713dbd…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 150b47a502aee72c0867002370883bd9 SHA-1: 9564eade7c730bc74be75c6ddc5f41a99f7e627f SHA-256: 593e1deb2f713dbdda31e16a9c2953f0c51f1d4605a1a8285214159cc3652e60
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The OOXML file contains VBA macros that reference PowerShell and cmd.exe, indicating an attempt to execute arbitrary commands. The GetObject call further suggests potential for object manipulation or execution. While the VBA code is heavily obfuscated, the presence of these indicators strongly suggests the macro is designed to download and execute a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6f7c890ecb2c8db97a249808dce42d5eec74d90cea0deb3564c496970a673618		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
13dd6457550e8d8010ea6f4cddae0f2b24d6e36b59908a774c18ac8d0a9b3e83		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.