Malware Insights
The file is identified as malicious by ClamAV and contains both VBA and Excel 4.0 (XLM) macros. The XLM macro sheet marker at offset 0x1E116A indicates the presence of older macro technology, often used for initial execution. The VBA macros include declarations for Windows API functions like WritePrivateProfileString, GetWindowsDirectory, and GetSystemDirectory, suggesting potential system interaction or configuration manipulation. The document body contains what appears to be construction or material cost data, likely a lure to disguise the malicious intent. The combination of these factors points to a macro-based attack, possibly for phishing or credential theft.
Heuristics 3
-
ClamAV: Xls.Malware.Generic-6680536-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6680536-0
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txtee2635b795c02203e593b0176996e3543dcc34faf24e7462fe2cba0de76683da |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 3267443 bytes |
macros.basf1a0a1924498708ffcd80c76cbe0099a7455fcbadc042a137c46e5b69a1d37b8 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9033 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.