Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7d4477852d05a799…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 7ac63a170db227246976b20ee8662339 SHA-1: 1415d94674da9651c28cb4608b63d5081536917e SHA-256: 7d4477852d05a7991a064f15c78b2d9aaece61d2b04c2b3a6f1ed1be302129bf
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA macro itself appears to be a Base64 decoder, suggesting it is used to obfuscate a payload that is likely executed via PowerShell. This pattern is commonly used to download and execute further malicious content.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b454ea0164a989ab170946dcde0c72c0675b69a87afc7f726b80e81762137710		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
94e758d8303c6f764f0e4ff83a4d84e3ff7e746ae7163305fc6cb31fd0257167		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.