Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 89bf17ebd69d107a…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 5988741b09155abdf3e42e84b1038d54 SHA-1: e264bad7d77a4a6c65dfca759c9f31ade5598786 SHA-256: 89bf17ebd69d107a4b08f09b98f0d1eff86d805b98246a3d4c0a56302486fa84
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an Office document containing VBA macros. Heuristics indicate references to cmd.exe and PowerShell within the VBA code. This strongly suggests the macros are designed to execute commands, likely to download and run a secondary payload. The GetObject call further supports this by potentially loading external objects or code.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
82dd07430e94b49c899ee5c766a5ce576edb212ed3f82f606799f0ffe0095466		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
62d0c59f2ace9d4fd653f101ec181c517f714cad23dfe1bcb85cd9a412333a70		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.