Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f5c97c3eba03c8f6…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: bc17fd1eef30b4bc3e8b4c69f92213f6 SHA-1: 4cffd6abb766e53328967bf4a8f635017e62cdca SHA-256: f5c97c3eba03c8f62e8c43f294ba999453735af8351ea77f3077a73448abad50
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

This OOXML document contains VBA macros that reference cmd.exe and PowerShell. The GetObject call and the presence of VBA macros suggest an attempt to execute arbitrary code. The VBA code includes a Base64 decoding function, which is commonly used to obfuscate malicious payloads. The overall behavior indicates a downloader or dropper.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
91a85ba7df324b14d68e8feb3ab056db7fc51b536df8adeb3c1b8194ef144a0a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
a4c6b837710b15d144e9bcf9b0885a6051d4b9411fe4cd928de2731565da54aa		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.