Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6f85450f7eb288b4…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 37473825059034d35293a742e529a959 SHA-1: cc79326264b282188d1086803bdcce39e288a96a SHA-256: 6f85450f7eb288b48b1f3d6323b261461773044c565325dadd61020afad09d84
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The OOXML document contains VBA macros that reference cmd.exe and PowerShell. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The VBA script itself appears to be a Base64 decoder, indicating it's likely used to obfuscate and decode a malicious payload. The primary function of this macro is to download and execute a second-stage payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b093676008bf057d277577e792423b10c262be36a5c89e804ff8f000dbf4f82a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
e65eebcd263dfb82cf0b562d348a940d095343c31e619edefdfe7bfb13f5c41f		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.