Xls.Downloader.94c25b356b5a6cac-9978798-0 Office (OLE) / .XLSX malware analysis — malicious · 60e44e20f771c3f0

MALICIOUS

Office (OLE) / .XLSX

48.4 KB First seen: 2022-02-23

MD5: 222d6fc84eaa79de7dfdce5ad59bbd7d SHA-1: 36dca412331b19cfacc6942bc184495e52d8b3e2 SHA-256: 60e44e20f771c3f017352c966f4bd5f165c11faa178db46c81636d30ab0cd851

160 Risk Score

Malware Insights

Xls.Downloader.94c25b356b5a6cac-9978798-0 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is identified as a malicious Excel downloader by ClamAV. It is password-encrypted, preventing static analysis of its content, but the encryption itself and the OLE structure corruption are strong indicators of malicious intent. The presence of 'Xls.Downloader' in the ClamAV signature suggests it is designed to download and execute additional malware, likely via embedded macros.

Heuristics 4

Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMED

Encrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
ClamAV: Xls.Downloader.94c25b356b5a6cac-9978798-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.94c25b356b5a6cac-9978798-0
Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE

OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML

OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.