Xls.Dropper.Agent-7623009-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 00f50e8697b5d464…

MALICIOUS

Office (OLE)

99.0 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel First seen: 2013-02-09
MD5: 3371016b6988e0a9eeda12b0bb6dd347 SHA-1: aa225b63629b50d599c842c429a4c3b5d0a1a26f SHA-256: 00f50e8697b5d4642c9ebe0563945cf8948f2a747d41f3e034e2cc8ec34e7cd7
404 Risk Score

Malware Insights

Xls.Dropper.Agent-7623009-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-7623009-0. Static analysis reveals numerous high and critical heuristic firings related to process creation, memory manipulation, and remote thread execution (CreateProcess, ShellExecute, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, LoadLibrary, GetProcAddress). The embedded VBA macro, though appearing simple, likely serves as a loader for a second-stage payload, indicated by the system API calls. The presence of 'res://srvwiz.dll/default.hta' suggests a potential download or execution of a remote HTA file.

Heuristics 11

  • ClamAV: Xls.Dropper.Agent-7623009-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7623009-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 101,376 bytes but its declared streams total only 42,689 bytes — 58,687 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://investor.msn.com/external/excel/quotes.asp?SYMBOL=[ In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 684 bytes
SHA-256: 73fe284b1e885bd0405ecb421b1224021163ce4aa3bca30e5a2deb64f9916b3c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "SystemMonitor1, 10, 0, SystemMonitor, SystemMonitor"