Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 752819d01a975087…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: d660ce42284e7f715e3b2ddf6b5c0a99 SHA-1: 18eb7dbb6af980af7cb5c0b2ea14366f2c6f5f41 SHA-256: 752819d01a9750875a19bdea9607290dc15fe3b2cb5f45f0faf8047948e79c1f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the macros reference PowerShell and cmd.exe, and use GetObject. The VBA code itself appears to be heavily obfuscated, but the presence of these indicators strongly suggests it's designed to execute further commands, likely downloading and running a second-stage payload. The specific obfuscation technique used in the VBA macro is not fully decipherable, leading to a slightly reduced confidence.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ebeeb349633b2fe3e1621483255181a5dba6371817d1e6116012cb71e1611307		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
f19c4a5762af50ab970bbe344e53a983fdee9776c059f529b63c832bba6e54ce		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.