Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d6b7edc83456f970…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: bea777fbfff5cff5b7a35f674e40daa7 SHA-1: 60050230784cedb1499d25ffe79e813286298bb6 SHA-256: d6b7edc83456f970c6a0a6fa946af7f98565d63ee1227a0d6e8fbaf8e5f12789
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject, suggesting it's designed to execute external commands. The presence of a large VBA macro file (`macros.bas`) further supports this, likely containing obfuscated code to download and run a second-stage payload. The overall pattern is consistent with a malicious document delivered via spearphishing.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
50edc6e6ffd7c28c8f9d905a61c4ae1996e9dd2f63a9bc47b970769982853ecd		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
e99fc87a41af07fc1e2694201af8b041633f341d405575a09dbac8b423090817		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.