Xls.Dropper.Agent-1501585 — Office (OLE) malware analysis

Static analysis result for SHA-256 3128fb967b973806…

MALICIOUS

Office (OLE)

462.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 93f4534f519ec169f0d4301f10f32f3c SHA-1: c99dd6cba46adf613f52e9d82d0aac1991fea939 SHA-256: 3128fb967b973806c4969243f80265127db8ceec8d4af291005907f4fb0967a4
120 Risk Score

Malware Insights

Xls.Dropper.Agent-1501585 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as a malicious Excel 5 macro-virus (Laroux/Larou-CV) by static heuristics, specifically flagged as Xls.Dropper.Agent-1501585. The presence of macro virus markers and the file type strongly suggest it's designed to execute embedded VBA code. This code likely acts as a dropper, downloading and executing a secondary malicious payload, a common technique for initial compromise.

Heuristics 2

  • ClamAV: Xls.Dropper.Agent-1501585 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-1501585
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: MBD000028E0/Ole10Native 38180 bytes
SHA-256: 764d7393b19744a570246d85899ec3f9049322d7d83c9f6cf618c1008f179e74