Xls.Dropper.Generic-9765465-0 Office (OOXML) / .XLSM malware analysis — malicious · ef366f6e2178ed0c

MALICIOUS

Office (OOXML) / .XLSM

599.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300

MD5: 725db4e6bfc54f089e7677fb655ab7cd SHA-1: 01dea298cdfc53130cee2020c1419dccd92cfd06 SHA-256: ef366f6e2178ed0cdf3f898564ceed441d28df1fb962915d0cdc0e0875cb744d

228 Risk Score

Malware Insights

Xls.Dropper.Generic-9765465-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is an XLSM document containing VBA macros, as indicated by the OOXML_VBA heuristic. Critical heuristics OLE_VBA_CREATEOBJ and OLE_VBA_CALLBYNAME suggest the macros are designed to execute arbitrary code. ClamAV detections confirm this, identifying the file as 'Xls.Dropper.Generic-9765465-0'. The macros likely download and execute a second-stage payload from the embedded URLs.

Heuristics 7

ClamAV: Xls.Dropper.Generic-9765465-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-9765465-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKS

Document contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.quora.com/profile/Alok-Jha-43
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.micr
- http://schemas

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `81c5d81e4281db8b8b5d5ad38e9ebf7df1152976cfba7c046c230e77581622d2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4538 bytes
`vbaProject_00.bin` `d3e7eb1932d0840d9a80c15f619c72e2f05a0c71716d0ba74b9be0610299b97b`	vba-project	OOXML VBA project: xl/vbaProject.bin	686080 bytes
Detection ClamAV: Xls.Dropper.Generic-9765465-0 Obfuscation or payload: unlikely
`emf_00.emf` `0295c5e4bea86a8a79ab50edfaa4d774e2d02df6ff818f54392499799e047686`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1842004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.