Office (OOXML) malware analysis — malicious · c592ae0ee12a5857

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: 85866dfc651ef38e0e825a1a7846b1b9 SHA-1: 47187b3a6c0be75bb20194048bc7b6987ada4ea0 SHA-256: c592ae0ee12a585796d5d687b38e28bca2c7a6917e1c1cfd7feaa8113b7998fb

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_PS' indicates a PowerShell reference within the VBA macros, and 'OLE_VBA_CMD' shows a cmd.exe reference. The 'GetObject call' heuristic further suggests the macro is attempting to interact with external objects or processes. These combined findings strongly suggest the VBA code is designed to execute commands, likely to download and run a secondary malicious payload. The Base64 decoding function present in the script further supports this, as it is commonly used to obfuscate malicious payloads.

Heuristics 4

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e92d245e6642d29089029e75e3a66ae22ffe1369f79f6d67acce6247b772af60`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	35036 bytes
`vbaProject_00.bin` `cbcfc5aadb86c532a92aac08758a637c9e3c6bc675e26867f92de62cd3d77a21`	vba-project	OOXML VBA project: xl/vbaProject.bin	11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.