MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1566.001 Spearphishing Attachment
The file contains critical XLM macro virus markers, indicating it is a legacy macro virus. The Auto_Open macro is present and uses the SAVE.COPY.AS function to create a copy of itself with a date-stamped filename, such as 'LuuNgayDD-MM-YYYY.xls'. This behavior suggests an attempt to spread or persist by creating new infected copies. The 'SE_INVOICE_LURE' heuristic further suggests a potential lure, though no specific text was extracted to confirm this.
Heuristics 3
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Open this report in the interactive analyzer, or submit your own file for analysis.