Xls.Dropper.Agent-1560061 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 81723f2fdced3bdd…

MALICIOUS

Office (OLE) / .XLS

106.6 KB
MD5: 2adf079a5595d988a0c85fc578cd99d2 SHA-1: 77d7849e12392e96fa1fda9ece27929ffcac50f8 SHA-256: 81723f2fdced3bdd7f70c2e5f8f524918f55f48d9af67de5647ab56300651c41
262 Risk Score

Malware Insights

Xls.Dropper.Agent-1560061 · confidence 95%

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-1560061. Static analysis revealed multiple high-severity heuristics related to API calls for memory allocation (VirtualAlloc, VirtualProtect) and loading libraries (ShellExecute, LoadLibrary, GetProcAddress), indicating the execution of shellcode or a downloaded payload. The OLE slack anomaly further suggests obfuscation or packed content. While no specific malicious URLs were extracted, the presence of these indicators strongly suggests the file's purpose is to act as a dropper.

Heuristics 8

  • ClamAV: Xls.Dropper.Agent-1560061 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-1560061
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 109,184 bytes but its declared streams total only 56,346 bytes — 52,838 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0

Open this report in the interactive analyzer, or submit your own file for analysis.