MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an XLSM file containing VBA macros that leverage WScript.Shell to execute commands. The macro code appears to construct a command string, likely for downloading and executing a secondary payload. The presence of critical heuristics for Shell() and WScript.Shell usage, along with ClamAV detections for a known dropper family, strongly indicates malicious intent.
Heuristics 6
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
ClamAV: Xls.Dropper.Agent-8074454-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-8074454-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas365111a638616a035ee8cdfd591c8027acabeee579f177648fab14e229d153c8 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1026 bytes |
vbaProject_00.bin52835dfae35f4a83444d019fbef61319807839db3b2739799e5d53d032e44669 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 15360 bytes |
|
Detection
ClamAV:
Xls.Dropper.Agent-8074454-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf7662b9566e5b6268237939d70430c3c63587ce1f24b006f3e9ac5aa87ce327cd |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 3420 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.