Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 75ad67bc6b00aa31…

MALICIOUS

Office (OOXML)

41.7 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 51d2f929dd844c5a8a472386bc307ac4 SHA-1: 9ce3e8fb2c57b88164584a671eafcc07739107d2 SHA-256: 75ad67bc6b00aa310bf01f8dac63a10a0a21057414ba0b51df236ff1434a6c39
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

This Excel document contains VBA macros that reference cmd.exe and PowerShell. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The VBA code includes a Base64 decoding function, indicating that it likely decodes and executes a malicious payload, possibly via PowerShell, to achieve its objective.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
10ba5ad296a3a566b588d50d2eba8b03715e4a1b5b32ec51494add8f80fe3979		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
e45b8a3cd21df64751444eff64b464d388ab24500b3d34183a838a2d40af7a3f		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.