Xls.Malware.Emeka-10012114-0 — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 0b86cb490c50e402…

MALICIOUS

Office (OOXML) / .XLSX

22.4 KB Created: 2025-09-18 14:30:32 UTC Authoring application: Microsoft Excel 16.0300
MD5: a8a3e58b284f292c04d44a967941cc85 SHA-1: 21a44ead1bb9aad99a2e139574818ad4d58e025c SHA-256: 0b86cb490c50e40246a8bdaabd938c356bb2cafd007fb5af31c0971c3aecf32b
260 Risk Score

Malware Insights

Xls.Malware.Emeka-10012114-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel macro-enabled workbook that contains a Workbook_Open macro. This macro is designed to execute automatically when the workbook is opened, attempting to save a copy of itself to the user's startup directory and potentially download additional malicious content. The presence of CreateObject and VBA p-code auto-execution further indicates malicious intent.

Heuristics 6

  • ClamAV: Xls.Malware.Emeka-10012114-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Emeka-10012114-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
cb110db3235aa8d2b8196261b0bf10d1c3ce3f2c5f6273d4f74cdeac87ba6171		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2507 bytes
vbaProject_00.bin
679bf68fa0738bc1d115fa620d069030977903151c6cccd7f44304b5a8bee797		 vba-project OOXML VBA project: xl/vbaProject.bin 23040 bytes
Detection
ClamAV: Xls.Malware.Emeka-10012114-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.