Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7fce21c7221f2cce…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: ca615c0b2790856e4fbf46c6b9357b8a SHA-1: e83c0b1abbf521c9d4309cc0483351499b824923 SHA-256: 7fce21c7221f2cce0d01ff67c7ca178febb4de93575b8ff78fb1ba9278f87e81
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros. Heuristics indicate references to PowerShell and cmd.exe within the VBA code, suggesting an attempt to execute external commands. The presence of a large VBA macro file (`macros.bas`) further supports this, likely containing obfuscated code to download and run a second-stage payload. The document's structure and macro content strongly suggest it was delivered as a malicious attachment.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ea886d17471faab82336e57b96eca6f6f5ef40a0855592a601361d23abe30b7c		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
cd30b84998ec2dbe99913a573f52c849ea191b0187f954a0d8ecb7178b8fd8cd		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.