Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ac050ac4ac473e28…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: af05f439f3ced5111c9c27a9c999a947 SHA-1: bc886c01fbd5d8e328433832c4e8080ec295712c SHA-256: ac050ac4ac473e28830114690eb00da31b764fd412e1995d4c79870851a5fbc9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The OOXML file contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of VBA macros suggest an attempt to execute malicious code. The VBA code includes a Base64 decoding function, indicating obfuscation, and is likely used to download and execute a secondary payload. The specific family is not identifiable from the provided evidence.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3bd2f39acc95891be99c49cc52cd6fc27dcd914d6282216a6d78b833e47419e9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
12ed2e26e28911b867b29ea5c62314623c64d6d75984d2cbb266789289d8ad57		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.