Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5aec2e566a5d5227…

MALICIOUS

Office (OOXML)

41.7 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4a46fd42044d328d231b90ac53138609 SHA-1: b5033b7ff5c5a51306cd752daa5dea4102e32d7f SHA-256: 5aec2e566a5d5227cf22a027688202af90d53a958c7afa246d032fdd2044545d
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an Office document containing VBA macros. Heuristics indicate the VBA code references cmd.exe and PowerShell, suggesting it is designed to execute commands on the host system. The GetObject call further supports the possibility of object manipulation for malicious purposes. The primary function of the VBA appears to be the execution of external commands, likely for downloading and running additional malicious content.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
06f0ecebffbc17c54b013a65c6e7704f25d2dc67e13b3a94978f8fbe000c0673		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
5be069a38b473a9de74304956fa222e2424e24e315d60f19cf6dfd1d7aaccc0f		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.