Xls.Dropper.EPPlus-9802867-2 — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 ecce5ff9b0aee22f…

MALICIOUS

Office (OOXML) / .XLSX

92.6 KB
MD5: 26ed8f8c2caaa78928de13dd17fdb28e SHA-1: c6cf8076d7e8d4a12e67a000e53862270b28178a SHA-256: ecce5ff9b0aee22f086a1177fc0f96df5eedfad9860b8dfb7de7d67285125c68
260 Risk Score

Malware Insights

Xls.Dropper.EPPlus-9802867-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Dropper.EPPlus-9802867-2. Static analysis revealed a Workbook_Open macro, indicating that VBA code will execute automatically when the document is opened. This macro is likely responsible for downloading and executing a second-stage payload, as suggested by the 'Dropper' classification and the presence of extracted VBA macros. The embedded URL heuristic also suggests network activity.

Heuristics 6

  • ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e14680104a3a07770a26a5588e60c4b74ddd3a08b4ea991574785d70cf0687b6		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6530 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
f2d53a76d12c993677e371cca1ce3475da871358503c069b307dcdfbdb2b3183		 vba-project OOXML VBA project: xl/vbaProject.bin 7168 bytes
Detection
ClamAV: Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.