Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e39ae14da86bbae5…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4d90e910969f7a52d3d5242cee3617e6 SHA-1: a7273d54d351d50ce1a3a51f0d04c97a6fced7bd SHA-256: e39ae14da86bbae5c4ca7bbf543967168d5ece46721acd432483c24f15068fe0
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_PS' indicates a PowerShell reference within the VBA macros, and 'OLE_VBA_CMD' shows a cmd.exe reference. The 'GetObject call' heuristic further suggests the macro is attempting to interact with external objects or processes. These combined findings strongly suggest the VBA code is designed to download and execute a secondary payload, likely via PowerShell or cmd.exe.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f3cc4fffa636824b8027a4171b644a1fbbf141c67533f3cdc867242c048699c		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
2d4cb167c7731dbf69fc3e7f7e4d7d4da96883054594ef393cb19178dac28387		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.