MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1059.001 PowerShell
The file is identified as malicious due to critical heuristic firings indicating the presence of legacy Excel 4.0 (XLM) Auto_Open macros and a legacy XLM macro-virus family marker 'XL4Poppy'. While VBA macros are also detected, the primary threat appears to stem from the older XLM macro functionality. The document body contains what appears to be Vietnamese construction cost estimation data, which is likely a lure. No specific IOCs like URLs or hashes were extracted, but the presence of XLM macros is a strong indicator of malicious intent.
Heuristics 4
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
-
ClamAV: Xls.Malware.Generic-6680536-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6680536-0
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas666058ae70451137942d0df27d6aaad533470bccf4ffd0fa9cd050d499d7d411 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8732 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.