Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b84fb2f8ac9770dc…

MALICIOUS

Office (OOXML)

41.7 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: c8ac7766bc3ed84dac1ea32b4429a920 SHA-1: ab08a32dabcac2184e02710c7e8a9a3e8a530154 SHA-256: b84fb2f8ac9770dc93b18c3aab073c77e4ab176fa1afca7df831cb063568490e
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an OOXML file containing VBA macros. Heuristics indicate the VBA code references cmd.exe and PowerShell, suggesting it's designed to execute commands on the host system. The GetObject call further supports the likelihood of object instantiation for malicious purposes. The primary function of the VBA script appears to be the execution of external commands, likely for downloading and running a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
134cafc8d33bb32153c48c6d45c60ad3f719ce4b35f08ad0662d0506ba09cf25		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
2a2fc01449657dee2ec6940109ac5e3c06a3b0fc141b4f6eb8356aac6f508888		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.