Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 fb28ab4561e74cfe…

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: b7432d5b126e615b3aaa4a7f255a8614 SHA-1: 3559083e723835c9f446605054a6e8874bce9282 SHA-256: fb28ab4561e74cfed72f426f561ceaa31bf07e4e3e572857d6b0c3beeee8d293
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is an Excel document containing VBA macros. The VBA code references cmd.exe and PowerShell, indicating an attempt to execute commands. The GetObject call is also suspicious. The primary function of the VBA appears to be decoding and executing a PowerShell payload, likely for further malicious activity.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
97d514ef3b27ea8366f52fb90f31045ac0ffc1b95aa8aaf870fe217f89e5546d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes
vbaProject_00.bin
c3828ce14097c7900b47bd73ae674b148754760a7ff1843fe7ce102120e92239		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.