Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b8bb19a7bf43ec09…

MALICIOUS

Office (OOXML) / .XLSM

384.2 KB Created: 2021-02-15 19:29:50 UTC Authoring application: Microsoft Excel 14.0300
MD5: 157c2e3b6c4ee017877d9f0660225d73 SHA-1: bee0a67ea491edff47c060d83d1456cc1041a99a SHA-256: b8bb19a7bf43ec0921edd4f9d725175732e3d3519274f7d35f65f90f782f16f2
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The OOXML file contains a VBA project with a Workbook_Open macro, indicating that malicious code is intended to execute automatically when the document is opened. The presence of a NOP sled suggests an attempt to bypass basic detection mechanisms. The GetObject call is often used in conjunction with VBA to launch external processes or load additional malicious components.

Heuristics 4

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
85932dfd48bdf0c569ca259263ddfebe7b5c46f083625a1fa36964ada7c75b3b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3185 bytes
vbaProject_00.bin
5e29194737d5b64d46cfc817ed37f383d835d14c25fa715fa32868c9b8a8627c		 vba-project OOXML VBA project: xl/vbaProject.bin 15872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.