Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ab3d6826261c53ba…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 9038552eaf1d2f84c6a34e9187f1bfa2 SHA-1: 7e71ba9f387e41bf568b0c4c698e22e8432d8b35 SHA-256: ab3d6826261c53baa927d540fa4309ec2387b3d95086d3cf62c0502a16e1417b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an OOXML file containing VBA macros. Heuristics indicate references to cmd.exe and PowerShell within the VBA code, suggesting an attempt to execute commands or scripts. The GetObject call is also suspicious. The VBA code includes a Base64 decoding function, which is often used to obfuscate malicious payloads.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
71eeb02db9d0906331094f9518cfdc57179f77924f5f1b4b61b3879c1e6ae207		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
b19fe08f67e884b691c8deae775f3c99c4dabf9033a1cbf26137a2b7183683df		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.