Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 96a12c52c9b998bf…

MALICIOUS

Office (OOXML)

41.8 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: f321cfbdae1c32e72ce685676f5c271d SHA-1: c868b43f9c742515a98cca63f79d03a7cd22717b SHA-256: 96a12c52c9b998bf44d9f577f939ebb2c74cf5dfc72021238b834f15beadabb7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The OOXML file contains VBA macros that reference PowerShell and cmd.exe, indicating an attempt to execute commands. The GetObject call further suggests potential for object manipulation or execution. While the specific payload is not fully discernible due to truncation and obfuscation, the presence of these elements strongly suggests a macro-based downloader or executioner.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3fb16b3b091dada658323f9e950ca2bfa5928e1297252f7069c443839d90b4af		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
053b6487ecba29eee3d6609333390a8bef7e5f48a7a42077a8395f9f5063c6d1		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.