Xls.Dropper.EPPlus-9802867-2 — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 aad188e844512984…

MALICIOUS

Office (OOXML) / .XLSX

431.0 KB
MD5: a1fffa3f10a889fa92a81002a081a256 SHA-1: bce1387b17d482fe68cc48579d55dd1b18f45ecf SHA-256: aad188e844512984d297dc57bf44a14396d19f459d9e0955a8414486c4081edb
260 Risk Score

Malware Insights

Xls.Dropper.EPPlus-9802867-2 · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1027 Obfuscated Files or Information

The file is detected as Xls.Dropper.EPPlus-9802867-2 by ClamAV. A Workbook_Open macro is present, which is designed to execute obfuscated PowerShell code. This script uses 'iwr' to download a JPG file from 'http://35.178.75.69/8/0210379.jpg' and saves it as 'C:\Users\Public\Pictures\ssoizekf.exe'. It then executes the downloaded file, indicating a downloader or dropper functionality.

Heuristics 6

  • ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f8e84e9138f7cb5e6a933dff4be9490cad8b96ec954b08256ad573f4b1113c09		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1259 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
7e82ba51f32268799a65fa63c856d0c2f452048056694feac93c20fbf6a15a82		 vba-project OOXML VBA project: xl/vbaProject.bin 5120 bytes
Detection
ClamAV: Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.