Xls.Dropper.Agent-7659550-0 Office (OLE) / .XLS malware analysis — malicious · 6e73eee818a7ce59

MALICIOUS

Office (OLE) / .XLS

58.5 KB Created: 2020-04-08 08:02:22 Authoring application: Microsoft Excel

MD5: ad2f362e19d773e7728e4dadc2f98ba8 SHA-1: 19272fcc0c36adac3d2c10d91816abde5bf7efc7 SHA-256: 6e73eee818a7ce59c0ef6d73a2505e7b6bb699273710a7d83897e500a14fee70

280 Risk Score

Malware Insights

Xls.Dropper.Agent-7659550-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel spreadsheet containing VBA macros. Heuristics indicate the use of WScript.Shell and the Shell() function, which are commonly used to execute arbitrary commands. The macro attempts to execute a command via WScript.Shell, likely to download and run a secondary payload. The ClamAV detection name 'Xls.Dropper.Agent-7659550-0' further supports its nature as a dropper.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Xls.Dropper.Agent-7659550-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7659550-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c55c640dea6229d89e3d05372ba4b930a9ff67c0899325f8b604a9ef9cef4251`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1711 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.