MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical heuristic 'OFFICE_EMBEDDED_MACRO_OBJECT' and the ClamAV detection 'Xls.Dropper.Valyria-10030821-0' indicate this is a macro-enabled dropper. The VBA p-code auto-execution with SHELL execution tokens strongly suggests the macro attempts to download and run a secondary payload, consistent with a dropper's function. The file is likely delivered as a spearphishing attachment.
Heuristics 6
-
Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECTThis document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
-
ClamAV: Xls.Dropper.Valyria-10030821-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Valyria-10030821-0
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Large OOXML part skipped info SCAN_INCOMPLETEOne or more high-value OOXML parts exceeded the scanner's per-entry size cap and may not have been fully inspected.
Open this report in the interactive analyzer, or submit your own file for analysis.