MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.005 Visual Basic
The file is an XLSM document, which is known to contain VBA macros. ClamAV heuristics confirm the presence of VBA macros and identify the file as malicious with the signature 'Xls.Malware.Mrhl-9774585-0'. The document body, though heavily obfuscated, suggests an attempt to trick the user into enabling macros. The presence of VBA macros indicates the potential for executing malicious code, such as downloading a second-stage payload.
Heuristics 3
-
ClamAV: Xls.Malware.Mrhl-9774585-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Mrhl-9774585-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basaf503b2ffb4c3ff8898f03ea88626a1b9c5dd91b400d81c07539859d611806c0 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1264 bytes |
vbaProject_00.binfca4481958733f301da23aed87378efd859677d3bb8dd88ed49230616826b888 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16384 bytes |
|
Detection
ClamAV:
Xls.Malware.Mrhl-9774585-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf015127571fc2389979d9d100c496dd9802cc18b93a4f4bbbd1f837b6ae080d97 |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 3460 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.