Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c25b4dd77a580b21…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3b792eb4e1378b2353e36cdd03362855 SHA-1: 28ec74385ea2a6228dfd9a279323bb8cc1922e03 SHA-256: c25b4dd77a580b21cc1405d77ee8bc76aac0b56a3b4fd6922021c72058038b56
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The OOXML file contains VBA macros that reference cmd.exe and PowerShell. The presence of a GetObject call and the critical heuristic for PowerShell references suggest the macro is designed to execute external commands. The VBA code itself appears to be obfuscated, but its likely purpose is to download and execute a second-stage payload, warranting a high confidence score for a malicious intent.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
78ce0a212419c97950e0bbc31309e3521a1ae407124f60789acb47e10f5492fb		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
10927ad098560bfc0307525dbb7e50562e171f1fcdf205077ed21a5c183f8823		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.