MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The file is identified as a malicious Excel 4.0 (XLM) macro-based document. The presence of legacy XLM macro-virus family markers and an Auto_Open macro indicates an attempt to execute code upon opening. The VBA script, though truncated, contains declarations for Windows API functions related to file system access and profile manipulation, suggesting it may be involved in payload execution or system modification. The extracted path 'C:\DUTOAN97\CUOCVC.DBF' is likely related to the macro's operation.
Heuristics 4
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
-
ClamAV: Xls.Malware.Generic-6680536-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6680536-0
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basf1a0a1924498708ffcd80c76cbe0099a7455fcbadc042a137c46e5b69a1d37b8 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9033 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.