Sdrop — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 12f06298a5693988…

MALICIOUS

Office (OOXML) / .XLSX

47.7 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-04-22
MD5: 331768e73291d5c44cf46fe8150b57af SHA-1: 97173d80926daec0741e20237c0501d52a79e746 SHA-256: 12f06298a5693988349a53aee9eb505060d5f69c622e7cb3f3970b38e6efbf62
342 Risk Score

Malware Insights

Sdrop · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Excel document containing a VBA macro with an Auto_Open subroutine, which is a common technique for executing malicious code upon opening. The macro uses CreateObject, indicating it likely attempts to download and execute a second-stage payload. ClamAV detection confirms this as a known dropper variant (Sdrop).

Heuristics 9

  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • ClamAV: Xls.Dropper.Sdrop-9451844-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Sdrop-9451844-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
36f0925e0a44087bf3c3ac2deda04bf17e9bbccb1d5c8ed3b8deace0e9105667		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 30730 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
ooxml_oleobject_00.bin
739427de4353c0909451f1fa01e296718c048c2950f2fd7a22b70ef5e5a501e4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 12800 bytes
ooxml_oleobject_00_ole10native_00.bin
dabb339f8a177eca0dad8013fe5adb01a66a98022c44fb3f4c5f3160167ac48a		 ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 10049 bytes
ooxml_oleobject_01.bin
8ad81f9e8796bf04534ed7bed410d33676e83fd04ea40a845acd0e49a1f72513		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
ooxml_oleobject_01_ole10native_00.bin
789f935954b0890d11328deafc40adf8e85db9c9652660584dbd4617ccbbbb89		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1379 bytes
ooxml_oleobject_02.bin
31e29f27da6051ce268b95298907f48b2f2863e335e4e90ee2b386d80ac4ae46		 ooxml-ole-object OOXML embedded OLE part: xl/vbaProject.bin 50176 bytes
Detection
ClamAV: Xls.Dropper.Sdrop-9451844-0
Obfuscation or payload: unlikely
emf_00.emf
979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82		 ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
emf_01.emf
4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f		 ooxml-emf OOXML EMF part: xl/media/image2.emf 1536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.