MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.002 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Xls.Malware.Ldridex-9768648-0, strongly suggesting the Ldridex banking trojan family. The presence of VBA macros within the OOXML file further supports this, as Ldridex commonly uses macro-enabled documents for initial infection. The obfuscated document body text likely serves as a lure to encourage macro execution, which would then trigger the malicious VBA code to download and execute a second-stage payload.
Heuristics 3
-
ClamAV: Xls.Malware.Ldridex-9768648-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Ldridex-9768648-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas8873c752da58b642408d52bcdd8b5a83063f98901ac76d8fa233f96313bd6d24 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2566 bytes |
vbaProject_00.binc5ebf972fd39e09e72e4759f54c6814c93c3bd918e88863bac603f37af356b09 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 20992 bytes |
|
Detection
ClamAV:
Xls.Malware.Ldridex-9768648-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emfb5bade02daded562effbe609b7a4c7c01c1ee2a1f26708539a8df738ed841fce |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 3432 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.