Xls.Dropper.Agent-8019483-0 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 6de3645643318c34…

MALICIOUS

Office (OLE) / .XLS

287.5 KB Created: 2020-04-23 12:26:24 Authoring application: Microsoft Excel
MD5: 3b686dde4ab28b0ae6ced8d8ec6bb90c SHA-1: cd27a744fd7e9c7d8291499008ca42bbe873c4bd SHA-256: 6de3645643318c34d97b2106ce9dd34ce41cb0c11e6f2f2788916abfdef70ea2
120 Risk Score

Malware Insights

Xls.Dropper.Agent-8019483-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The critical ClamAV heuristic and the presence of an encrypted Excel 4.0 macro sheet strongly indicate a malicious dropper. The macro sheet likely contains code to download and execute a secondary payload, a common technique for malware distribution. The file's metadata and heuristic firings align with known dropper families.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-8019483-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8019483-0
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.