Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f5cf7f8b2d6fad3b…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: fcf9378f2dc3a9f544c3e7e5c5560f54 SHA-1: c301e4ad5052d6c72197a99db82f9b88d83f72e6 SHA-256: f5cf7f8b2d6fad3b8694198d0e5a89b2d4c96a82ae36cc05fdbe23cbf09c2fa8
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references PowerShell and cmd.exe, and uses GetObject. The VBA code appears to be obfuscated Base64 decoding, likely to execute a malicious payload. The primary function of the script is to decode and execute a second-stage payload, which is a common technique for malware delivery.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e246383f6129f19ae99428ec1c453be4fe3f3c3360ad76ebecb01f09adfb5575		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
dca23649cfe1c973f0cd362b085a40288f2bffe1dd0da8132b399397ca16d06d		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.