Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8a863b5f154e1ddb…

MALICIOUS

Office (OOXML) / .XLSX

5.8 KB
MD5: 8857fae198acd87f7581c7ef7227c34d SHA-1: 4b676d8fcf1ef9aececd53786051182c9ea94792 SHA-256: 8a863b5f154e1ddba695453fdd0f5b83d9d555bae6cf377963c9009c9fa6c9be
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The file is an Excel spreadsheet containing a VBA macro, specifically triggered by the Workbook_Open event. Heuristics indicate the presence of a dropper functionality, and ClamAV signatures confirm it as 'Xls.Dropper.EPPlus-9802867-2'. The macro likely uses CreateObject to download and execute a secondary payload, a common technique for initial access and further infection.

Heuristics 6

  • ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d87d96c339fb320043e959f3c88a4a01dae481a29f761e80f1909e3b35ba05b9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3178 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
14767d87f27232bad927150bf1d837192077eaa6ff86d045be62e8a6934cde0a		 vba-project OOXML VBA project: xl/vbaProject.bin 5632 bytes
Detection
ClamAV: Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.