Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b742c179971bd573…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3560aadda09abe0b89f50c118d92ce37 SHA-1: 11e0d78e3188d90b3ae7cfc0949ed872ba9423e9 SHA-256: b742c179971bd57344ceb002be6b870cfcd57e2cd7a711e33eb5a42b23c60bd9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject, suggesting it's designed to execute external commands. The presence of a large VBA macro file and a VBA project file are key indicators. The macro itself appears to be a Base64 decoder, likely used to deobfuscate and execute a malicious payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
03930dc394c5c99425d645de0f80cd5dfa2fc5856de5ea31b447f27169e86fc8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
713f26236b956f95f24c58d7d9dfc4d165151aa0fde997bce969f2b7f78ca579		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.