MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature Xls.Malware.Ldridex-9768648-0, indicating it belongs to the Ldridex family. Static analysis detected the presence of VBA macros within the OOXML document. The document body contains heavily obfuscated strings which are likely part of the macro's functionality, possibly to download and execute a secondary payload. The presence of VBA macros and the Ldridex family attribution strongly suggest a spearphishing attachment attack pattern.
Heuristics 3
-
ClamAV: Xls.Malware.Ldridex-9768648-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Ldridex-9768648-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas8873c752da58b642408d52bcdd8b5a83063f98901ac76d8fa233f96313bd6d24 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2566 bytes |
vbaProject_00.bin30dec5699651887765c9095dc4db632659edbab840285430b46d3bd079f6c616 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 20992 bytes |
|
Detection
ClamAV:
Xls.Malware.Ldridex-9768648-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emfb5bade02daded562effbe609b7a4c7c01c1ee2a1f26708539a8df738ed841fce |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 3432 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.