Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7909a858d5918ff7…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: dc0a4e9e0a9ace7c42d520ea374afcfc SHA-1: f9c1a23f92ed0fcb0f8b89d0643e57408d16ca02 SHA-256: 7909a858d5918ff740e6a68044376b380d1bcbd986fb33de97696201682878eb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA code itself appears to be heavily obfuscated, but the presence of these indicators suggests it is designed to download and execute a second-stage payload. The specific obfuscation and lack of clear indicators prevent confident family attribution.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d285d34d5f05a321bba3af035bc93bd6d19e693a5a7eb2f97ff1a9a15d8237a4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
2b46e865e7f634846c6e2bf9f790a5ec3a613f7d39dd9b18cb0882c38f991f3d		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.