Xls.Dropper.Agent-7633704-0 Office (OOXML) / .XLSX malware analysis — malicious · 38d3f5173827b3d7

MALICIOUS

Office (OOXML) / .XLSX

388.9 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300

MD5: 83a7ee52acc9f9f728d268acce20d30c SHA-1: 35ba05bc81abc4e0471efd47dcb69dc262623409 SHA-256: 38d3f5173827b3d7f213cb95de47e2087937eef5c9c3d48caf1dfb9098a063d4

222 Risk Score

Malware Insights

Xls.Dropper.Agent-7633704-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel spreadsheet (XLSX) containing VBA macros, as indicated by the OOXML_VBA heuristic. Critical heuristics OLE_VBA_CREATEOBJ and OLE_VBA_CALLBYNAME suggest the macros are actively trying to execute code. ClamAV detections confirm this, identifying the file as 'Xls.Dropper.Agent-7633704-0'. The presence of VBA macros and the dropper classification strongly suggest the file's purpose is to download and execute a secondary malicious payload.

Heuristics 6

ClamAV: Xls.Dropper.Agent-7633704-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7633704-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c482702f7d8d40522d8e8c818571563f742231fd297ed904f6c92c5110281d49`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3784 bytes
`vbaProject_00.bin` `9497ab22b6d165847ec059d354a69792600dcd41090e7f652a630f901add7040`	vba-project	OOXML VBA project: xl/vbaProject.bin	386048 bytes
Detection ClamAV: Xls.Dropper.Agent-7633704-0 Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`emf_00.emf` `3c140dae60187f9aed0032a882e3170c1439f3099f9312fd3b47c41883066d5b`	ooxml-emf	OOXML EMF part: xl/media/image5.emf	1272 bytes
`emf_01.emf` `ecd7a9400b6ff11ef1cb9c0104990b9b394842d515cfe2a52d837c545ac74a5b`	ooxml-emf	OOXML EMF part: xl/media/image6.emf	1272 bytes
`emf_02.emf` `590e7d3729467c06e3eea299b2a7ea2e6a9b2cfd402b1882c6de5abef68edfe5`	ooxml-emf	OOXML EMF part: xl/media/image7.emf	1272 bytes
`emf_03.emf` `8d48cc789533c4117cbddfbde01112daa00bec1fd07b3dc8356661f8a2a687af`	ooxml-emf	OOXML EMF part: xl/media/image4.emf	6120 bytes
`emf_04.emf` `fd98394bc27622290d00b36960ce94295da097d3c24a3849dba5d16975c6b2df`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1868 bytes
`emf_05.emf` `763b992658dac391bf8886f53e454088707d80f8cc7727c425b77674e07f52d3`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	1272 bytes
`emf_06.emf` `62a016875789c0bae8a5c5606738813963b54709987eca3a8a30e04980daaf92`	ooxml-emf	OOXML EMF part: xl/media/image3.emf	1334084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.