Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d3e31f52f523e27e…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: fb5a1d1c6cb71a9b01bd331259e4b5f8 SHA-1: 3b5da2805f8570f782943f050351544be3396a3c SHA-256: d3e31f52f523e27e1a32312b4c31309a2ec3d9eb90d57018f6192136f4a0aea8
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The OOXML document contains VBA macros that reference PowerShell and cmd.exe, indicating an attempt to execute arbitrary commands. The GetObject call further suggests potential exploitation or dynamic execution of code. While the VBA code is heavily obfuscated, its presence and the references to external execution tools strongly suggest a downloader or dropper functionality.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e90139993808646fc3644c9bb9072bde2825db5f71225eca09cf2b784f67c55e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
a726c9726a137a2fce03d7e8e3b91fc5c2f6f4f9bcdc9c93838fe12cce43fb46		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.