Xls.Dropper.Generic-9765465-0 Office (OOXML) / .XLSM malware analysis — malicious · f436cea732ee45b7

MALICIOUS

Office (OOXML) / .XLSM

599.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300

MD5: 8a16a7d3a315a5beb1db7584314583d7 SHA-1: 64e14ff4de0c2268d983af528df26062c17117c4 SHA-256: f436cea732ee45b72455bf88f61ccc4a60eff8f2ab62bd61d7afe63aa340b126

228 Risk Score

Malware Insights

Xls.Dropper.Generic-9765465-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is an XLSM document containing VBA macros, as indicated by the OOXML_VBA heuristic. ClamAV detections confirm it is a dropper. The presence of CreateObject and CallByName calls suggests the VBA code is actively attempting to execute malicious actions, likely downloading and executing a second-stage payload from the embedded URLs. The document body contains what appears to be obfuscated data or commands, further supporting a malicious intent.

Heuristics 7

ClamAV: Xls.Dropper.Generic-9765465-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-9765465-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKS

Document contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.quora.com/profile/Alok-Jha-43
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.micr
- http://schemas

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `81c5d81e4281db8b8b5d5ad38e9ebf7df1152976cfba7c046c230e77581622d2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4538 bytes
`vbaProject_00.bin` `d3e7eb1932d0840d9a80c15f619c72e2f05a0c71716d0ba74b9be0610299b97b`	vba-project	OOXML VBA project: xl/vbaProject.bin	686080 bytes
Detection ClamAV: Xls.Dropper.Generic-9765465-0 Obfuscation or payload: unlikely
`emf_00.emf` `0295c5e4bea86a8a79ab50edfaa4d774e2d02df6ff818f54392499799e047686`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1842004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.