Malware Insights
The sample is identified as malicious due to critical heuristic firings indicating the presence of legacy Excel 4.0 (XLM) macros and a macro-virus family marker. The VBA macro code, though truncated, includes declarations for Windows API functions like WritePrivateProfileString and GetWindowsDirectory, suggesting attempts to interact with the system or modify configuration. The presence of the Auto_Open macro and the XLM_LEGACY_MACRO_VIRUS heuristic strongly indicate that the macro is designed to execute automatically upon opening the spreadsheet, likely to download and run a secondary payload. The document body content is financial and technical, which could serve as a lure.
Heuristics 4
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
-
ClamAV: Xls.Malware.Generic-6680536-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6680536-0
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basf1a0a1924498708ffcd80c76cbe0099a7455fcbadc042a137c46e5b69a1d37b8 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9033 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.