Xls.Dropper.Agent-7693328-0 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 3757fe215d5f40ed…

MALICIOUS

Office (OLE) / .XLS

55.0 KB Created: 2020-04-23 23:00:38 Authoring application: Microsoft Excel
MD5: 06271a68285c8128e572c5753a49e4d4 SHA-1: d09eecf013f884bdc72b0136def9878c3b4a8c25 SHA-256: 3757fe215d5f40eda13d1168a820d8c0f482dd76bfc5721e17e0f776534733d0
120 Risk Score

Malware Insights

Xls.Dropper.Agent-7693328-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The critical ClamAV heuristic indicates this is a known dropper associated with the 'Xls.Dropper.Agent-7693328-0' family. The presence of an encrypted Excel 4.0 macro sheet and the 'AUTOOPEN' heuristic further confirm its malicious nature as a macro-based delivery mechanism. The document body was unreadable, but the heuristics strongly suggest it functions as a dropper.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-7693328-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7693328-0
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.