Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 69442ec974e06b7f…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: ab774bd51c827eaad3752d358ef1955b SHA-1: e7c7205ee363331969874aa5d985df1cfb67d03b SHA-256: 69442ec974e06b7fd297bc51384c1c7176d92add634d8017c91c874b6255ed4a
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references cmd.exe and PowerShell, suggesting it's designed to execute commands on the host system. The GetObject call further supports the possibility of object manipulation or execution of external code. The primary function of the VBA code appears to be decoding and executing a Base64 encoded string, likely a second-stage payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8d4ff25a50fe418ec101c19d7c8d50e41875ef9e2e20bcc628a3e94cbac11a1b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
607ad187f796f3812bc54ab5714003570287c8e232e9398934dad4fdb83f42c5		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.