Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e6f01556873bc5b6…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 72f542a128521333ee8b5c3e2b26b03b SHA-1: d1a7aeea5ad7185c462d02dd11434b6cc37132ce SHA-256: e6f01556873bc5b6588e2df046d6ae74dcc064ae21a5fc55e0e27fde2a7b5a2e
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA code itself appears to be heavily obfuscated, but its structure suggests it's designed to execute external commands. This is consistent with a macro-based downloader attempting to fetch and run a second-stage payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d1d5125a3a2677b258da367c53771ff62beb020eca769f58c89202c4f69e7536		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
eb97a53a17c1effad521e5aa52d664c1e065c776b7035ebec4dcd443975dce5d		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.