Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 65f5ffdccc32e1e9…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: de7376df369d9a5b58f5f93d00807a9e SHA-1: e3bedbba6a85e93217a112c2de5bec51342d2f44 SHA-256: 65f5ffdccc32e1e909267b4edaea884b148447ac7a6acf6852c69fee59e10252
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is an Office document containing VBA macros. The macros reference cmd.exe and PowerShell, indicating an attempt to execute commands. The GetObject call further suggests potential exploitation or execution of external code. The VBA code includes a Base64 decoding function, likely used to obfuscate the actual PowerShell command.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
adc5b06ba64f0bc668c8decbbb971676e9c51a35098a99ab82751bb272f53c83		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
ea7fb20073847da210a1e221c9bc19edcc87f22c03c67f26a2abc59be9af0722		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.