Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e08f4b98c67cb690…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 70dd115854573d582de668f8cb41dc27 SHA-1: adb752e326c4626a86dad0f8ccf8c893754a71a9 SHA-256: e08f4b98c67cb6906a367b28921834541b29edb2891f0e3a8b1d685fd6c12c32
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1059.003 Windows Command Shell

The file is an OOXML document containing VBA macros. Heuristics indicate the presence of PowerShell and cmd.exe references within the VBA code, along with a GetObject call. The VBA code itself appears to be heavily obfuscated, but the presence of these indicators suggests the macro is designed to execute commands, likely for downloading and executing a second-stage payload. The specific family is not identifiable from the provided evidence.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9c56b04c5c14a5d9b216db2e200bd8057f4b92d88ab2123ea3f51b6d49c79b50		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
159e10a0bb33e79f563b37f3d4cf8b645e6f51c2e6a6021b1ce4c2e09bf2d412		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.