MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The file is identified as malicious due to critical heuristic firings indicating the presence of legacy Excel 4.0 (XLM) macros, specifically the Auto_Open function and legacy macro-virus markers. The document body contains Vietnamese text related to construction cost estimation, which may serve as a lure. No specific script content was fully extracted or analyzed, but the presence of XLM macros strongly suggests an initial execution vector for malware delivery. The ClamAV detection further corroborates the malicious nature of the file.
Heuristics 4
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
-
ClamAV: Xls.Malware.Generic-6680536-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6680536-0
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basf1a0a1924498708ffcd80c76cbe0099a7455fcbadc042a137c46e5b69a1d37b8 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9033 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.