MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1071.001 Web Protocols
T1105 Ingress Tool Transfer
The sample exhibits critical ClamAV detection as 'Xls.Dropper.Agent-7079673-0', indicating it functions as a dropper. High-severity heuristics for PEB access, WinExec, CreateProcess, and GetProcAddress APIs, along with a NOP sled, strongly suggest the execution of shellcode. The large slack space in the OLE structure is also anomalous. While no specific script content was provided, the combination of these indicators points to a malicious document designed to download and execute a second-stage payload.
Heuristics 8
-
ClamAV: Xls.Dropper.Agent-7079673-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7079673-0
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 226,646 bytes but its declared streams total only 31,351 bytes — 195,295 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
x86 push-string-call medium SC_PUSH_STRINGShellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack
Open this report in the interactive analyzer, or submit your own file for analysis.