Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a5e2edf7191cb948…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4a84cf7902b036088065ccb4271f3a74 SHA-1: 77edd8a212e812dfb17bab265a415e1855e84355 SHA-256: a5e2edf7191cb948bec725b71e1a00a965fc9b1a754e29b1ac369d6ab23795a7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The OOXML file contains VBA macros that reference cmd.exe and PowerShell, indicating an attempt to execute commands. The GetObject call further suggests dynamic execution of code. While the specific payload is not visible, the presence of these elements strongly implies a downloader or dropper functionality.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
450c74e29bdd5c1b295519200f87f2fbcfd0407576a5d6b9d20d498c9b38f985		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
37b664e4ad2fdc07116fba7245539fc03b18cb01f36baf79eb3f685e29355ebe		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.