Malicious Office (OLE) / .XLSX — malware analysis report

Heuristics 9

• Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
  OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
• Shell() call in VBA critical OLE_VBA_SHELL
  Shell() call in VBA
• WScript.Shell usage critical OLE_VBA_WSCRIPT
  WScript.Shell usage
• ClamAV: Xls.Malware.Valyria-10002968-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Xls.Malware.Valyria-10002968-0
• Reference to Windows Script Host high SC_STR_WSCRIPT
  Reference to Windows Script Host
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• VBA macros detected medium OLE_VBA_MACROS
  Document contains VBA macro code
• Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.asianexportglass.shop/p/50.html

Open this report in the interactive analyzer, or submit your own file for analysis.