Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7577697997da4008…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: f6445306bf486ad93ef3a90124422f2e SHA-1: b1f3f0663bb7bafc044f4ed52281081baea96771 SHA-256: 7577697997da40085ccb8bca3d74eb78c59366cfedf231ae4a847e0549bdd82b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is an Office document containing VBA macros. Heuristics indicate the VBA code references cmd.exe and PowerShell, suggesting it is designed to execute commands on the host system. The GetObject call further supports the possibility of object manipulation for malicious purposes. The primary function of the VBA appears to be to download and execute a second-stage payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
eff4ea285a851439942c806ef8013cce550a1c4f4e3d57e5e9b69cfcf772deff		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
d2a3873779292cc57aebfa392886ddc4a7169580e9130821372b19f1dd73d5f7		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.