Office (OOXML) malware analysis — malicious · ffa427ea76da14d9

MALICIOUS

Office (OOXML)

41.8 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: 58ae632064cc3a9c6b6b6816f5387a47 SHA-1: b7b56ec1c7306fe1d3bfad23154e2dc6a0c45b23 SHA-256: ffa427ea76da14d923675b36167b3e356b955026ddda262f669242a1c4ce716e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The OOXML document contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of VBA macros strongly suggest an attempt to execute malicious code. The VBA code appears to be obfuscated, but the references to PowerShell and cmd.exe indicate a likely downloader or initial execution stage for a second-stage payload.

Heuristics 4

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8fbbd152770e61722b98465ad9c7be0a62f09d70acfe850228491baffc3239a3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	34430 bytes
`vbaProject_00.bin` `f459917c5f16b1590d93ebae113db463398c5a00d272013bf06b04e04fe1ae76`	vba-project	OOXML VBA project: xl/vbaProject.bin	11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.