MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.005 Visual Basic
T1059.001 PowerShell
This XLSX file contains multiple Excel 4.0 (XLM) macro sheets, which are often used to conceal malicious code. The document body includes a lure instructing the user to 'ENABLE CONTENT TO ADJUST THIS DOCUMENT', a common tactic to bypass macro security. ClamAV detected this file as Win.Malware.Agent-7761873-0, indicating a known malware signature. The presence of XLM macros and the enable content lure strongly suggest the intent is to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Win.Malware.Agent-7761873-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Malware.Agent-7761873-0
-
Excel 4.0 macro sheet (8 sheet(s)) high OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 8 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
- http://schemas.microsoft.com/office/spreadsheetml/2014/revision
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.xml44fb5b37893e7177563df6920dca826c57947785efa28824dc2e52b5d27665b1 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 56813 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s).
|
|||
xlm_sheet_01.xml8934166199f49c77363db58959af7c0a09a1bf53c1a4bab219fd4bdb003fefe3 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.xml | 6733 bytes |
xlm_sheet_02.xml76c2508ad741eb45b61634565b6e54510302871080cca66856608554afcb1f8e |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.xml | 1086 bytes |
xlm_sheet_03.xml182640ef572175d02b878b1187cabd415dc98889df18150f86a779a495cac004 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet4.xml | 1086 bytes |
xlm_sheet_04.xml28604893060b4b286f5d597a744dbac67d34f87bbd36b8093bfcee0d6de5aa6f |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet5.xml | 1086 bytes |
xlm_sheet_05.xmld0d2725eb4841777a72219d1038f6b6f8990f0244aab6682065e9ca8e33b3c1f |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet6.xml | 1086 bytes |
xlm_sheet_06.xmld365928e60748eae60e55682118bdda9abeac410b323d6dea317a0cc20b1a79d |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet7.xml | 1086 bytes |
xlm_sheet_07.xml0144f127f457c79cf6038a85248178a0102f4f26167751f2a3d027e7378ef3e7 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet8.xml | 1086 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.