Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9986c27b44703be8…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 9c2daee9801468ae73036848e0570845 SHA-1: 3a2cd5223788d571694123ecd73855f14b47cddd SHA-256: 9986c27b44703be885c78c61092609c56a1d23fc4006222c7c9334f7ebfc3bf0
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros. Heuristics indicate the presence of PowerShell and cmd.exe references within the VBA code, along with a GetObject call. The VBA code itself appears to be heavily obfuscated, but its structure suggests it is designed to execute external commands, likely for downloading and executing a secondary payload. The presence of VBA macros in an Office document strongly suggests a spearphishing attachment delivery vector.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f55b0e5eb87fefa7b81e2f0c0a41bccad1c01f1975a5d99c33b02698fa6c3ea		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
8c628d4aefd40ff1bb7917e58c2c0541a6c69a78cbfea6df52cdcb1b9ec6d896		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.