Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b89cfc11af680a7d…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: aaffeda6131106b83c7ff80782bb9fb1 SHA-1: e464ca6de9c6d364c7a2a434e551023b70e98e6f SHA-256: b89cfc11af680a7d1ca4995fb2af4ec3df36d86d3f2190457023f80ecb6a08fe
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The VBA macro contains obfuscated code that references cmd.exe and PowerShell, indicating an attempt to execute commands. The GetObject call is also suspicious in this context. While the exact payload is not visible due to obfuscation, the presence of these elements strongly suggests the macro is designed to download and execute a second-stage malicious file.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b969e6db714dd78d9943cf04cc285809d605ea3e9aa4992287623bdf0de29967		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
28be38344d38aee8458e554a811cc53a638f0741522518b6d0c0e347e557c79b		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.