Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 da0484bceb5d0db3…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: ef7d71f580b559ea551651c33ae19d98 SHA-1: 1ad9bd5f4df266b7f5e5b41a64409dc426aa1278 SHA-256: da0484bceb5d0db3e4d3e34473f0e6f89400ba8a45af3a8c35e5aad286c7a454
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The Excel document contains VBA macros that reference cmd.exe and PowerShell. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The VBA code appears to be obfuscated, but the references to cmd.exe and PowerShell indicate a likely intent to download and execute a second-stage payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
985792496d16c231da157533822c808ae4ecb81441d591e191eb9c10bb92246e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
ef8a1de2558cf058cedbc117a37471d819f50de27596b232f7bde620939785f9		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.