Office (OOXML) / .XLSX malware analysis — malicious · 53a9b8c7f68da7ab

MALICIOUS

Office (OOXML) / .XLSX

18.0 KB First seen: 2026-06-19

MD5: 5408550ea98c043e423cff3dffd7d574 SHA-1: 377457100f140a7dfbf627498e6f09391c027a00 SHA-256: 53a9b8c7f68da7ab05b85797658695a59dd38f6bbae99575b63b19caaecf6c38

222 Risk Score

Heuristics 5

ClamAV: Xls.Dropper.Agent-7382066-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7382066-0
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes

Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'nop' is 100% of instructions — a sled or padding/filler run, not program logic).
VBA project inside OOXML medium 1 related finding OOXML_VBA

Document contains a VBA project — VBA macros present
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download� In document text (OOXML body / shared strings)
- https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1�In document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	25088 bytes
SHA-256: `6ae9689658e2784b8e82bff9e5a48ea6db073ee57cb621669e83f82d89d4ad34`
Detection ClamAV: Xls.Dropper.Agent-7382066-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.