Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b5a1657d408f6da9…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 11d487b3d2766c1d9dc34755415c16e8 SHA-1: 86943788e4393a54615ca6a6c7f886ae5c34811a SHA-256: b5a1657d408f6da9539dff9b64c0e688e87d4e4be54359dc7046a118d578dcdb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_PS' indicates a PowerShell reference within the VBA macros, and 'OLE_VBA_CMD' shows a cmd.exe reference. The VBA code itself contains obfuscated functions like 'Decode64' and uses constants that suggest it's designed to decode and execute further commands. This strongly suggests the macro's purpose is to download and run a second-stage payload, a common technique for malware delivery.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
96056fed010e61134c82c4cc0a6094a59ba35708195bc7d38c0896ca2b920a96		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
dd4c6952de078a80d22da5254db101b47c6469c60e89211e554861885e148c6d		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.