Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a136eb3722074d65…

MALICIOUS

Office (OOXML)

41.7 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4235e4903ebd4f0a4c67e8ec12e1ec7a SHA-1: f0e9a7fc509837334cc3b2bf155958d072260d70 SHA-256: a136eb3722074d6523141ae6e10ee73b19bb15a11a9316430fa25709e6ca31ee
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The file is an Office document containing VBA macros. The macros reference PowerShell and cmd.exe, and also use GetObject, indicating an attempt to execute external commands. The VBA code includes a Base64 decoding function, suggesting it's used to obfuscate a payload that is likely downloaded and executed.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c13de7de74be830f39d5c9ab71eb022a43849d5e794c81ed8461576fc6c531b5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
5a908fbbac8877b4971532d12cb247d3e796eb6b686a87ce3fa9a3ee9feafe50		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.