Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d833f1e1f0b014b1…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 39f9107ad101efbf34c6f4749a5e0563 SHA-1: ae75158b3932412a996cdb7b03b9cf79974d6032 SHA-256: d833f1e1f0b014b1ccfc9f3085d3ea6860c5358f298d9778ca4823ccc02d0cc1
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The OOXML document contains VBA macros that reference cmd.exe and PowerShell. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The macros appear to be obfuscated, but the intent is likely to download and execute a second-stage payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c69abfc45802dbcb1271b0baf4a0000fbf7097645ec0cdbe12b80d5017832e83		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
56f1ff175558dc3a204fa78ddca923a9989fd32b700d03a77f3b3b207fc91264		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.