Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e8fef2919dfef9ce…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8424c6c311f2bb52c27cb11c92175dfa SHA-1: c3c67ed0559b3fd25c9d32a5faa8f6270e818b4d SHA-256: e8fef2919dfef9ce43f8331be243cbb03812ac731e993a922c5ee84b3b7bb0a0
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an Office document containing VBA macros. The macros reference PowerShell and cmd.exe, indicating an attempt to execute commands. The GetObject call is also suspicious. These heuristics suggest the VBA code is designed to download and execute a secondary payload, a common technique for initial access via malicious documents.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
88f848c55fe6e61c66d09cd92b77dad3cb3e039072a899b8fd6db6df2f399086		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
29c334a2de6d9ecffedb857ffbff91065f78e55190df8c04247adf52dc13db50		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.