Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ffb76634e0b8264e…

MALICIOUS

Office (OOXML)

41.9 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: ac2799f237d2a0e4a7a9839a809d3c3b SHA-1: d7c67af1d598385863fec7dc9ac0a59972d22e9a SHA-256: ffb76634e0b8264edbb9c5f53da5f300ee1b09708eb5b0c3fde756e38b4e37f8
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an OOXML document containing a Workbook_Open macro. This macro references PowerShell and uses WMI to launch a process, indicating it's designed to execute a secondary payload. The VBA code also includes a Base64 decoding function, suggesting obfuscation of the malicious payload.

Heuristics 6

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aabe6fac4952450bcd0f96c040898c25b8b82d729aca56c3ad92186a74ef9dba		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35548 bytes
vbaProject_00.bin
dc7ad4c42f3d498aa0588fdca3bb18698a0207fc048eff7f3ae0362819f82afc		 vba-project OOXML VBA project: xl/vbaProject.bin 11776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.