Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 643ce9630631fdc9…

MALICIOUS

Office (OOXML)

14.5 KB
MD5: 24dd86688a277a16ca013809c71ab8c0 SHA-1: d3a1915ced9501a7ce269ee1ace23b4a50c8c5cd SHA-256: 643ce9630631fdc9051b4be5b3bd9d60281885380fb2fa777379711d938c3c91
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OOXML document contains VBA macros, specifically an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The script attempts to construct a URL by concatenating strings and then calls a procedure that likely downloads and executes a second-stage payload. The renaming of the VBA project part suggests an attempt to evade detection.

Heuristics 3

  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/hukaluuuu.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d5d38c2d9188d485c6576ea8b196c06ebc0a5c24784fd52f87080cb9821fd25f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5652 bytes
vbaProject_00.bin
279caa394a692a8eb047a5014ba53ec53d37b1782d077c65d96d897759259079		 vba-project OOXML VBA project: ppt/hukaluuuu.bin 34304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.