Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f8dd76e15b8e4315…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3e33714e360487e4a89b18bac2f5b3ba SHA-1: 620a565897d578ff1e9e1c88c630b0e8f195512c SHA-256: f8dd76e15b8e4315e2640c1506d72c43e6831cba3b7785311c189b78be741605
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_PS' indicates the presence of PowerShell commands within the VBA macros. Additionally, 'OLE_VBA_GETOBJ' and 'OLE_VBA_CMD' suggest the use of GetObject and cmd.exe, common for executing external commands. The VBA code itself contains extensive obfuscation, including Base64 decoding functions, which are likely used to hide the actual PowerShell commands responsible for downloading and executing a secondary payload. The overall pattern points to a macro-based downloader.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e99ebd0c8092c0c8fbc2790f79f082fae7a59861fdd5b0660fed6010213b9d26		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
6e8cf4ab185bd892389cca11c9a247dbaeae9874ea740532048181333c394a62		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.