Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6d7a096c192a03d6…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 02389d094a5ab9149db64204fd4c09d2 SHA-1: 8ce943a359bd3697a043cf484cd905c5c9eae901 SHA-256: 6d7a096c192a03d6488af916c960ba98747f07c8a7a1eea3cdd6f259b5768070
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA macro itself appears to be heavily obfuscated, but its likely purpose is to execute further commands, potentially downloading and running a second-stage payload. The specific family is not identifiable from the provided evidence.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
df0606f70de04d96f34402fb9f121a625fc146542fff49027b1f248855ceadfe		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
558708db66c173ce499e651f7b1f415c33c04097638e2bd9564a8ccfb1e3c3bf		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.