Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c769317a57947a44…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: a667bc4ca1c7cf8368ef479955efa82f SHA-1: 1ed724d8527ccf0de31a6c5bc438eb05928df749 SHA-256: c769317a57947a4410616e4352917423bcf7014c6595c78817cc2a4e09579b73
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA macro itself appears to be a Base64 decoder, suggesting it is used to obfuscate and execute a payload. The primary function of the script is to decode and execute a secondary payload, likely downloaded from a remote source.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0d69cfcc81562549b0043d4cecbabfe36a14d4250891e4b2e999a11ae8e26a6b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
1762ac9048ea79c07ae1c0817bd4fd7a0c1a65614968377d137c33bfb7b2e7f3		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.