Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cca4a72a70980e3c…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: e52f13eac677f048afe05419ed009e31 SHA-1: 1a6ec3a4390ada9813ae176cad0a9007a797cc24 SHA-256: cca4a72a70980e3c391919c5c0d02daf7b2dba9e23e7e7a3e5cdf931570d9ef3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject, suggesting it's designed to execute external commands. The presence of a Decode64 function in the VBA macro indicates obfuscation, likely to hide a payload download or execution routine. The primary attack pattern is likely spearphishing attachment, with the VBA macros serving as the execution mechanism for a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0b2e4492e3e8074baf6cdcd279d1e5e28d9dcb54e13337f7771f0c8b63b669b1		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
53055e3aa8a41999cdb430727c0427fb461b28d73ef098f116e94231a6fe76da		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.