Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a524b17edc79f1ca…

MALICIOUS

Office (OOXML)

16.3 KB
MD5: 8fb67950eee24c33116c5c8ae87bbde1 SHA-1: 26d8b5eec451ed68f3a61f4f69b4fadffb736d22 SHA-256: a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a renamed VBA project and an Auto_Open macro, indicating malicious intent. The VBA macro attempts to construct a URL by concatenating strings: "msh" + "ta " + "http://www.bitly.com/ashjdkqowdhqowdh". This URL is likely used to download and execute a second-stage payload.

Heuristics 3

  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/Pdonsa.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
283f221c45da2e9f7d3b8b358846b15795c287fcac6f37c51da34a687f129f7f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6082 bytes
vbaProject_00.bin
0cd7c57324a56dfddb1d335749e98a67392479b674039ac55b23e7162630e048		 vba-project OOXML VBA project: ppt/Pdonsa.bin 40448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.