Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ebd2a5203d02fc8c…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 1479c74c5f49f16864a2b955e55b57d3 SHA-1: ad4f2509df560604ace8d125edd4ed48e252d192 SHA-256: ebd2a5203d02fc8c70d2102cb53007b37990d83e35b3cea0f5e8a117e295982b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA macro itself appears to be heavily obfuscated, but its presence and the references to external command execution suggest it's designed to download and run a second-stage payload. The specific family is not identifiable from the provided evidence.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e3f7b014c47e65f1328ed18b3480d102d72a5d7a3217547081cee3f750593f1b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
50a4917fee8f9d5ad4c923cd087ffec74d829a28453a0d36cb7bb527c6eefd3e		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.