Xls.Dropper.Agent-9473367-0 Office (OOXML) / .XLSM malware analysis — malicious · 57b364e68a864042

MALICIOUS

Office (OOXML) / .XLSM

58.5 KB Created: 2020-06-03 11:52:15 UTC Authoring application: 16.0300

MD5: c213dedd27ce92d721d32d5b7869d451 SHA-1: b3ad24fd0b2f2579d179887e4ca0c83a3c779b79 SHA-256: 57b364e68a8640420dddf3124a6a2ae92983a98e0b0cacec1669a7700dccb519

320 Risk Score

Malware Insights

Xls.Dropper.Agent-9473367-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

This XLSM file contains VBA macros that utilize WScript.Shell and the Shell() function. These capabilities are indicative of a dropper, designed to download and execute a secondary payload. The ClamAV detection name 'Xls.Dropper.Agent-9473367-0' further supports this assessment and identifies the likely malware family. The embedded artifact also matches this detection.

Heuristics 7

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Xls.Dropper.Agent-9473367-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-9473367-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `3cf1bc5fa4a620eb657294e23e6f8a0818a877dde67105f73236cf437fc23373`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1215 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).
`vbaProject_00.bin` `be479c93521ffd41150ad3bb888ae916cdae53449cfe7b820f433898707edaec`	vba-project	OOXML VBA project: xl/vbaProject.bin	15872 bytes
Detection ClamAV: Xls.Dropper.Agent-9473367-0 Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).
`emf_00.emf` `0150e5362d61c523a60fbc072d6d1afbb7ef83bd885f7e984ea20b1cc608b88f`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.