MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an encrypted Excel 4.0 macro sheet, identified by ClamAV as Xls.Dropper.Agent-8803964-0. The presence of encrypted macros and the ClamAV detection strongly suggest it functions as a dropper, likely intended to download and execute a secondary malicious payload.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-8803964-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-8803964-0
-
OLE metadata lists many Excel 4.0 macro sheets high 2 related findings OLE_XLM_DOCPROPS_MACROSHEET_INVENTORYWorkbook contains a BIFF Excel 4.0 macro-sheet marker and its clear OLE DocumentSummaryInformation stream lists many MacroN sheet titles. This is a useful static signal when FILEPASS encryption prevents formula extraction from the workbook stream.
-
Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEETWorkbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Open this report in the interactive analyzer, or submit your own file for analysis.