Xls.Dropper.Agent-7622793-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 4d1a397925712b51…

MALICIOUS

Office (OLE)

317.0 KB First seen: 2015-09-16
MD5: 16b9c1a90f780ec585a3a72dbd591b3d SHA-1: 7b3c2a9f3338d8ba84681f061f317dcc1ab8f804 SHA-256: 4d1a397925712b51958aa9f2b8f1534f0a0e50bdee8a834363fa255305cb310f
302 Risk Score

Malware Insights

Xls.Dropper.Agent-7622793-0 · confidence 85%

MITRE ATT&CK
T1204.002 Malicious File

The file is identified as a malicious dropper by ClamAV, indicating its primary function is to download and execute additional malware. Heuristics indicate the use of Windows API functions such as VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, which are commonly used by droppers to allocate memory and load malicious code. The embedded URL is likely used to fetch the secondary payload.

Heuristics 9

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Xls.Dropper.Agent-7622793-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7622793-0
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 324,566 bytes but its declared streams total only 31,351 bytes — 293,215 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.uyghuramerican.org/info@uyghuramerican.org In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.