Xls.Dropper.Agent-8915377-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 0c7e1d0821c8e791…

MALICIOUS

Office (OLE)

243.0 KB Created: 2020-06-24 17:08:55 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: 169e60ab1715df7c1f80d37c17fe36ba SHA-1: 78817ce44779c8d2ceb814d2580b6cf44e3ad185 SHA-256: 0c7e1d0821c8e7919aed75f079425c77d59020a4a721ed45005c2a07c1f444b8
280 Risk Score

Malware Insights

Xls.Dropper.Agent-8915377-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-8915377-0. Critical heuristics indicate the presence of Excel 4.0 macros with dangerous functions and environment evasion techniques, suggesting it's designed to execute arbitrary code. The XLM macros are likely responsible for downloading and executing a second-stage payload.

Heuristics 6

  • ClamAV: Xls.Dropper.Agent-8915377-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8915377-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • XLM Auto_Open environment-evasion close gate critical OLE_XLM_ENVIRONMENT_EVASION_CLOSE
    Excel 4.0 macro sheet auto-executes environment checks with GET.WORKSPACE / GET.WINDOW, then shows a fake corruption/error message and closes the workbook when the host fails those checks. This is a malware sandbox-evasion pattern, even when the later payload stage is hidden behind obfuscated defined-name flow.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 103906 bytes
SHA-256: cb35dc25b6032b395ec66a23b0761d76abe16f1df88d2d96a27e66f3213bba34
Preview script
First 1,000 lines of the extracted script
' 0085      9 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     27 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  zVxCQauJviJfeHnGrv
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     20 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 A
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0018     20 LABEL : Cell Value, String Constant - BcyxZ len=0 
' 0018     23 LABEL : Cell Value, String Constant - BgppoteX len=0 
' 0018     21 LABEL : Cell Value, String Constant - BVxDQN len=0 
' 0018     20 LABEL : Cell Value, String Constant - cDoFI len=0 
' 0018     22 LABEL : Cell Value, String Constant - CZgnRed len=0 
' 0018     21 LABEL : Cell Value, String Constant - Dirrpu len=0 
' 0018     21 LABEL : Cell Value, String Constant - dTyIIH len=0 
' 0018     24 LABEL : Cell Value, String Constant - DwPMiFdVR len=0 
' 0018     20 LABEL : Cell Value, String Constant - eJWVl len=0 
' 0018     21 LABEL : Cell Value, String Constant - eqTmSp len=0 
' 0018     22 LABEL : Cell Value, String Constant - eVMZjTS len=0 
' 0018     29 LABEL : Cell Value, String Constant - FtOFvJTCCpbDZl len=0 
' 0018     24 LABEL : Cell Value, String Constant - fzqhuFnnb len=0 
' 0018     20 LABEL : Cell Value, String Constant - GExQN len=0 
' 0018     23 LABEL : Cell Value, String Constant - GGhpCexd len=0 
' 0018     20 LABEL : Cell Value, String Constant - gZgLX len=0 
' 0018     23 LABEL : Cell Value, String Constant - htifZroL len=0 
' 0018     24 LABEL : Cell Value, String Constant - huJpItxXL len=0 
' 0018     22 LABEL : Cell Value, String Constant - HWdfoMH len=0 
' 0018     24 LABEL : Cell Value, String Constant - iIitnGDav len=0 
' 0018     24 LABEL : Cell Value, String Constant - IRpkNPvQV len=0 
' 0018     24 LABEL : Cell Value, String Constant - iVwSRtbse len=0 
' 0018     21 LABEL : Cell Value, String Constant - jBmqRr len=0 
' 0018     22 LABEL : Cell Value, String Constant - jcMtwRt len=0 
' 0018     24 LABEL : Cell Value, String Constant - JDVSoLjpl len=0 
' 0018     21 LABEL : Cell Value, String Constant - jGekgr len=0 
' 0018     21 LABEL : Cell Value, String Constant - jHqBHD len=0 
' 0018     23 LABEL : Cell Value, String Constant - jmeDgLJq len=0 
' 0018     21 LABEL : Cell Value, String Constant - kmTZsB len=0 
' 0018     23 LABEL : Cell Value, String Constant - KNQIgKoY len=0 
' 0018     21 LABEL : Cell Value, String Constant - KyTKBO len=0 
' 0018     23 LABEL : Cell Value, String Constant - LDbFjTPE len=0 
' 0018     22 LABEL : Cell Value, String Constant - LiScieq len=0 
' 0018     23 LABEL : Cell Value, String Constant - MaijtRMp len=0 
' 0018     22 LABEL : Cell Value, String Constant - mzZZzJV len=0 
' 0018     23 LABEL : Cell Value, String Constant - nIkoDNiv len=0 
' 0018     21 LABEL : Cell Value, String Constant - NQfBCM len=0 
' 0018     23 LABEL : Cell Value, String Constant - nQVisObP len=0 
' 0018     23 LABEL : Cell Value, String Constant - NRDvDhIt len=0 
' 0018     23 LABEL : Cell Value, String Constant - OcYHVuuV len=0 
' 0018     24 LABEL : Cell Value, String Constant - OfgCENkRu len=0 
' 0018     22 LABEL : Cell Value, String Constant - OuBUcRw len=0 
' 0018     22 LABEL : Cell Value, String Constant - pEkDosS len=0 
' 0018     22 LABEL : Cell Value, String Constant - qUjDWpk len=0 
' 0018     20 LABEL : Cell Value, String Constant - qXdw
... (truncated)
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 717 bytes
SHA-256: be23b65a6fa29680599137f837eec0639785801749f6f7877198f0531b8d3b52
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub RectangleRoundedCorners5_Click()
    Selection.Font.Bold = True
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True