Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ef1ac3f12332198e…

MALICIOUS

Office (OOXML)

14.8 KB
MD5: b3c4df30fcb050cd2719916ca70b730d SHA-1: 724d8d16bb272d7a15197caed16aebea4fa8adcd SHA-256: ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OOXML file contains a VBA project with an Auto_Open macro, indicating malicious intent upon opening. The VBA code attempts to use the CreateProcess API, suggesting it's designed to execute a secondary payload. The renaming of the VBA project part (ppt/Finaleze.bin) is a common evasion technique. Due to the obfuscated nature of the VBA code and the lack of explicit URLs or commands, the exact payload and delivery mechanism cannot be definitively determined, hence the 'unknown family' classification.

Heuristics 3

  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/Finaleze.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a0f3f8726b60d9ce26608df3b5261157262fcf1d0441ccd306dce3192ff083b7		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5644 bytes
vbaProject_00.bin
7e566ec3bc6e2ca029a5b63e20b60f5e85a66756e9fd38ca40d3c031621b536d		 vba-project OOXML VBA project: ppt/Finaleze.bin 34304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.