MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.005 Visual Basic
The file is an Office document containing VBA macros, as indicated by the OOXML_VBA heuristic and the presence of macros.bin. ClamAV detected the file as 'Xls.Malware.Mrhl-9774585-0', suggesting it's a known malicious Excel variant. The document body appears to be heavily obfuscated or corrupted, preventing a clear understanding of its lure. However, the presence of macros and the ClamAV detection strongly suggest a malicious intent, likely to execute further malicious code upon enabling macros.
Heuristics 3
-
ClamAV: Xls.Malware.Mrhl-9774585-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Mrhl-9774585-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basaf503b2ffb4c3ff8898f03ea88626a1b9c5dd91b400d81c07539859d611806c0 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1264 bytes |
vbaProject_00.binfca4481958733f301da23aed87378efd859677d3bb8dd88ed49230616826b888 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16384 bytes |
|
Detection
ClamAV:
Xls.Malware.Mrhl-9774585-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf015127571fc2389979d9d100c496dd9802cc18b93a4f4bbbd1f837b6ae080d97 |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 3460 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.