Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a38983f726d0c886…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 054cb862d25b0151612af6ac5bf54948 SHA-1: 6f4854175df2d74eacdb773ab8e68fc503a39a9a SHA-256: a38983f726d0c88631b9b8981a46b564bcdb333a650c96ece3cfd81b991d63f7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, suggesting it's designed to execute commands. The presence of a Base64 decoding function within the VBA code further supports the hypothesis that it decodes and executes a malicious payload. The document is likely delivered as a spearphishing attachment.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1780104a0cb7beefff563332554b55800296f4da2f9f85704d6c87edb520f954		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
c1da3381ac24676e5bdec849da3639d41ca71fa7bb92e2224ac016704bdfd141		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.