Office (OOXML) malware analysis — malicious · bd6b76890564812d

MALICIOUS

Office (OOXML)

14.4 KB

MD5: c4da4b011df1462374b04be56f99169a SHA-1: 64f038a765bfd5edcf97664bd4bdfd59803994cb SHA-256: bd6b76890564812dd399d1a15f8af070d44b7467ada40da9f94975e4ecf4e1e7

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The OOXML file contains a VBA project with an Auto_Open macro, indicating it's designed to execute malicious code upon opening. The macro references 'cmd.exe' and constructs a URL from concatenated strings, specifically 'https://www.bitly.com/ashjdasdaasdadasjdsdowdhqowdh', which is likely used to download and execute a second-stage payload. The renaming of the VBA project part also suggests an attempt to evade detection.

Heuristics 4

VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED

The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/123123123123.b)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0d36694eab0a3ef4d21bc9c2566ee2aa2c281d2f5fd5be0afdf73c25f0b0de0e`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	6062 bytes
`vbaProject_00.bin` `484fdd03f4785f81a8549b430555d49a97781b6b6e0477544b80f9e7b7bdae5b`	vba-project	OOXML VBA project: ppt/123123123123.b	35328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.