Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c423c06cd990168d…

MALICIOUS

Office (OOXML)

15.1 KB
MD5: 877dd278c8f6f539dcb7886a6ee62009 SHA-1: 8be830c90d2f7fbf553b8f58a2f522c304285d8a SHA-256: c423c06cd990168d8d4af9f50ee210f0b2ec0ccd6b1d12b3357aae76b206d863
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample is an OOXML document containing VBA macros, including an Auto_Open macro. The VBA code references cmd.exe and constructs a URL from concatenated strings, indicating it attempts to download and execute a second-stage payload. The reconstructed URL is https://www.bitly.com/ashjdasasdjasjddhqowdh, which is likely malicious.

Heuristics 3

  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6a9c2cbd1085f53b71471302252a68c8e14aaeb4f93047d295cada55d6d4792b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6043 bytes
vbaProject_00.bin
fe1e0eaf7ba9176fbfdbc8eed74e0f6d181d7061d4ce388e6eca465bbf55d01e		 vba-project OOXML VBA project: ppt/vbaProject.bin 34816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.