Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 695f04bdb021ff9c…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 93f1e238cf276377a300603b2c0926a1 SHA-1: e9d67cee76072d4787318d53f12cde77a90be7ab SHA-256: 695f04bdb021ff9c98c9a8b96a1a3266b0ecf8bb7535e4ea4b60f788acb767b6
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The OOXML document contains VBA macros that reference cmd.exe and PowerShell. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The script's functionality appears to be obfuscated Base64 decoding, likely intended to download and execute a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1c1da3fc4dd133270ad1b910b0e99d7eaf2d6f06607b4d75c2f004035b6eb6c4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
55b4c96d583b142025e0600492f8335d748b4aa16b7ac4ec33031a5cb5e07e5a		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.