Office (OOXML) malware analysis — malicious · d6c03c5e51771858

MALICIOUS

Office (OOXML)

42.1 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: b129dfa3312b0f7898f4d69869025496 SHA-1: a6bd10818bf456498cb0604128181b30de2c7cba SHA-256: d6c03c5e51771858ee6dccb4f99d6de6bd251c95cea94a631d502607e0999695

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.003 Windows Command Shell T1204.002 Malicious File

This OOXML document contains a Workbook_Open VBA macro that references PowerShell and cmd.exe. The macro also uses WMI to launch processes, indicating an attempt to execute arbitrary code. The presence of obfuscated VBA code suggests a downloader or droppper functionality, likely to fetch and execute a second-stage payload.

Heuristics 6

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e66a4f799650973c195e61b7fd2b14b1bc51101cb895b39afcd658c459f46c4f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	36075 bytes
`vbaProject_00.bin` `e6e955ed4c1093253f872525420ee3bc178ad2c58ccce149ecfc0bdae8da4f62`	vba-project	OOXML VBA project: xl/vbaProject.bin	11776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.