Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 980d71f0f0e9ae70…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 9233337625565af3b6e1a3216c186ad9 SHA-1: 4bf0829a85331fe4ba46644ad5c8c6f5d0359f24 SHA-256: 980d71f0f0e9ae70de2bc869fc5e03554d1755a64b19f49f7bf2d0d77f8452b6
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the presence of PowerShell and cmd.exe references within the VBA code, suggesting an attempt to execute external commands. The VBA code also contains a Base64 decoding function, which is commonly used to obfuscate malicious payloads. The likely intent is to download and execute a second-stage payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
97dadefe8ad7f30a7b70701b5850dad0175348417f6ec055c9a4e50451910abd		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
23e782c8889b47c6f79551537a06042d97699a2bca68aac3cfb43e79059f3896		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.