Office (OLE) / .XLSX malware analysis — malicious · ba897fa495e2e41e

MALICIOUS

Office (OLE) / .XLSX

125.0 KB First seen: 2022-08-16

MD5: 2b5f6753910537e5d6e1f9a86d637251 SHA-1: 5f66c24ccc164f7bbe594e0766c30bf8837c0a24 SHA-256: ba897fa495e2e41e7c1c1982cb8b299ef49afb46596ce06aadce13af1a21f47c

100 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment

The file is a password-encrypted Excel spreadsheet, which is a common delivery mechanism for malware. ClamAV detection indicates it is a downloader, likely intended to fetch and execute a secondary payload. The encryption prevents further static analysis of the document's content or embedded scripts.

Heuristics 3

ClamAV: Xls.Downloader.94c25b356b5a6cac-9978798-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.94c25b356b5a6cac-9978798-0
Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE

OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML

OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.