MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The file is an Excel document containing VBA macros, specifically an Auto_Open macro. This macro attempts to achieve persistence by saving a copy of the workbook to the Excel startup folder ('XLSTART' or 'StartupPath') with the filename 'mypersonel1.xls'. It also attempts to hide its presence by making the main workbook window invisible. The presence of the Auto_Open macro and the persistence mechanism strongly indicate malicious intent.
Heuristics 4
-
ClamAV: Xls.Virus.Valyria-10004391-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Virus.Valyria-10004391-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basa952b99482b0c1553a38b5c5c925360a64e7e248d8393a84f101fcada75ef358 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1463 bytes |
vbaProject_00.bin3f2fd5cc795b9e13de235271299f6027cd06d7b2bb07d04a41f63de97e94fa4c |
vba-project | OOXML VBA project: xl/vbaProject.bin | 17920 bytes |
|
Detection
ClamAV:
Xls.Virus.Valyria-10004391-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.