Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8129fc42a7a47e97…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 415581f7f16fa8690b534b18c7e32094 SHA-1: 6773ffd893e5800fed565406cb4e7634df7b4ffe SHA-256: 8129fc42a7a47e9766b22a0976be66bfe312a258f58164078554c9e7046fe72d
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The VBA macros within this Excel document contain references to cmd.exe and PowerShell, indicating an intent to execute external commands. The GetObject call further suggests the potential for object manipulation or execution of embedded code. While the specific payload is not directly visible, the presence of these execution vectors strongly suggests the document is designed to download and run a secondary malicious component.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
621c8cc13572d9a19c85927ec9d35b3c181ad8bd5c5df6adad4845f712cc1546		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
30a6c07bd9aa75b52cdeb51736b1d10b575109a9ef728afc9a0c9aea3ce3eb29		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.