Office (OOXML) malware analysis — malicious · 7853ba82f17ec829

MALICIOUS

Office (OOXML)

58.6 KB Created: 2021-08-25 22:09:50 UTC Authoring application: Microsoft Excel 16.0300

MD5: 3cd19eb6710ae45e39250826b3ddafa8 SHA-1: dcdd4066dbef6ee8fc9a74b6ae9425b5cf35e51f SHA-256: 7853ba82f17ec829d155f1d551339ba681167f86dfeddb48cd48d115377a8c2f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is an OOXML document containing VBA macros, as indicated by the 'OOXML_VBA' heuristic and the presence of 'macros.bas'. The VBA code attempts to allocate memory and write to it, suggesting it's designed to execute a secondary payload. The ClamAV detections further confirm its malicious nature. The specific functions used (CreateRemoteThread, VirtualAllocEx, WriteProcessMemory) point to a common pattern of macro-based malware execution.

Heuristics 3

ClamAV: Doc.Macro.Injection-6355574-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Injection-6355574-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8ea21edffccc6b6407d6f6e0601c59614345193842a009c853033b081fab02e0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3518 bytes
`vbaProject_00.bin` `d9c6c4e097b96599a110b4f11cd1e0336a6c5f5b2a45ed292333ff451979469b`	vba-project	OOXML VBA project: xl/vbaProject.bin	148480 bytes
Detection ClamAV: Doc.Macro.Injection-6355574-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.