Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f91e9acef4fde26c…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 7e39d6c50275ff9169f266984e86edc8 SHA-1: 4220436e883daf0a254f7d4c7bd2fe8aef32c94b SHA-256: f91e9acef4fde26c9c712d2e7e45b0b68d44abd452bb593d0f167d973c0eaab7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an OOXML file containing VBA macros. Heuristics indicate references to cmd.exe and PowerShell within the VBA code, suggesting an attempt to execute commands or scripts. The GetObject call further supports the likelihood of object manipulation for malicious purposes. The VBA code includes a Base64 decoding function, which is commonly used to obfuscate malicious payloads.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0fbbe0145dc5b1ceda7d7b223e82bcce498a1e26aab211654a74a9c2dd0e6864		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
5377a485d0c9c0d2fb8b05e1ea0419a0af6508a919102794f2a3d3ccecc7fe60		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.