Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d0fac270e2e4f584…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 77924702d2bf91322270efd94f7d3be4 SHA-1: ec195faf611f5223e22b03b15c1ed3a12e5fc410 SHA-256: d0fac270e2e4f58448e7eefdae437de1430748416bf1f399f210c674441cdd6c
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA code itself is heavily obfuscated, but its structure suggests it is designed to decode and execute a PowerShell command. This is a common technique for downloading and executing further malicious content.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f538b8a52805e8fd8c3953405e64c32f77cd5269bd67d1d1f2932eaacef910ea		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
14d17f381ebc09d4fa0cfa0be3a2dc8c72f6eecfa0a9d487d0d2a41754d2ea44		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.