MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.002 Spearphishing Attachment
The file is an XLSM document, and the presence of VBA macros is confirmed by heuristics. ClamAV detection explicitly identifies the file as 'Xls.Malware.Ldridex-9769692-0', strongly suggesting the Ldridex family. The obfuscated document body content likely serves as a lure to encourage macro execution, a common tactic for Ldridex to download and execute further payloads.
Heuristics 3
-
ClamAV: Xls.Malware.Ldridex-9769692-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Ldridex-9769692-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basafc0743d4e2d09e4079ae892acfc05e9da23a2b8f736520c0e2241415143da98 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2549 bytes |
vbaProject_00.bin7b31b6529df8233d6ae0e341da0c665490b6eb3d7c71143c50703d06b483b4bf |
vba-project | OOXML VBA project: xl/vbaProject.bin | 22016 bytes |
|
Detection
ClamAV:
Xls.Malware.Ldridex-9769692-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf53a88b00b3c0368a97f07e5705cf02259ed019efd03221a3f484b750c1f9742f |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 1408 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.