Xls.Dropper.Agent — Office (OLE) malware analysis

Static analysis result for SHA-256 7f1e8a373e4eaba6…

MALICIOUS

Office (OLE)

316.5 KB Created: 2020-07-02 12:55:44 Authoring application: Microsoft Excel First seen: 2020-08-10
MD5: a9b945bc753d80660ab50c3164878920 SHA-1: 865f27134e2b569c19bc8f31df54bf978188df4c SHA-256: 7f1e8a373e4eaba6fe9d7b263ec5ad2f060fcba57cf4e261bc314efd8c0f8cba
120 Risk Score

Malware Insights

Xls.Dropper.Agent · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an encrypted Excel 4.0 macro sheet, identified by ClamAV as Xls.Dropper.Agent. The presence of XLM macros suggests an attempt to execute arbitrary code, likely to download and run a secondary payload. The document body was unreadable, but the heuristics strongly indicate a dropper functionality.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-8810136-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8810136-0
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.