Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a61a8925c1e7ca4e…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 61476b050447b47eeeafc2928ff54d8c SHA-1: e23192d24a87a208c4d7e4a4d08bd22de0c9cb44 SHA-256: a61a8925c1e7ca4ec0f687190fff4e4fa1b0af219a03b284da83462de39ccbb5
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The OOXML document contains VBA macros that reference cmd.exe and PowerShell. The GetObject call is also suspicious. These indicators suggest the macro is designed to execute commands, likely to download and run a secondary payload. The Base64 decoding function present in the VBA code further supports this, as it's commonly used to obfuscate malicious payloads.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
af693e83b64355526ca35c6b7d3a794650adc82817c12dcc84cb36360c54834e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
73a3fd37007444cd5f5f827dad3aec7688834f0838f97f22a37ef283b6f8bccf		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.