Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f88fc891eb3344f6…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: a0a244f24aba747b283fa384cbf98f82 SHA-1: 2c2ea14a4dc607412471b8ca2abe40b844ce5a8d SHA-256: f88fc891eb3344f60d167e8318c6d91ac170c98702e6b6dcfe6dd95e47d6989a
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

The sample is an Office document containing VBA macros. Heuristics indicate the presence of PowerShell and cmd.exe references within the VBA code, along with a GetObject call. These findings suggest the macro is designed to download and execute a secondary payload, a common technique for initial compromise via spearphishing attachments.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1dee2a258d130de097aa01633925ee47cbf0358014f2ec8d5ab6063d373e16e9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
5a011cf854adcfa98f6920107c5cb797d193033cb4e0fc497128acaab306a193		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.