Office (OOXML) malware analysis — malicious · ba4fc3e2f97d9216

MALICIOUS

Office (OOXML)

42.1 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: 8e41ff2068b4dea6ca557d066dc34139 SHA-1: 22d26a50910012fdc2bf00e29b0b47e1251c262e SHA-256: ba4fc3e2f97d92166d49385cf7ba9502cd39af8d1ec1fe275fc828c59b666718

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1218.011 System Binary Proxy Execution: Rundll32

The file contains a Workbook_Open macro that references cmd.exe and powershell.exe. The critical heuristic 'OLE_VBA_PS' and 'OLE_VBA_WMI_PROCESS_CREATE' indicate that VBA is used to launch PowerShell commands, likely for downloading and executing a secondary payload. The presence of a Base64 decoding function suggests obfuscation of malicious code or URLs.

Heuristics 6

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c63450c0f4198c45b3566096a9c3218991c5b86d9b084ff2cf4860431c1db0fe`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	36374 bytes
`vbaProject_00.bin` `41f5900ae6cca1eb3289ed7f7ceb5322f6587a9b167744a38318d48cb8ca2645`	vba-project	OOXML VBA project: xl/vbaProject.bin	11776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.