Xls.Dropper.Agent-7379447-0 Office (OLE) / .XLS malware analysis — malicious · 8724bae6a142d24f

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2019-11-05 13:45:03 Authoring application: Microsoft Excel

MD5: c7c57b5721dc914f07aba569bf1e50c7 SHA-1: cb388d48a6ee42fe4e001921c27805a819de30ac SHA-256: 8724bae6a142d24ffb70e3fb3a534223186598202d4b4971e3f1e927519e6665

220 Risk Score

Malware Insights

Xls.Dropper.Agent-7379447-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel spreadsheet containing VBA macros, including Auto_Open, Workbook_Open, and AutoOpen, which are commonly used to trigger malicious execution upon opening. The macros utilize Windows API functions like VirtualAlloc and CreateThread, indicating the likely execution of shellcode. This behavior is consistent with a dropper malware designed to download and execute a second-stage payload.

Heuristics 6

ClamAV: Xls.Dropper.Agent-7379447-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7379447-0
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e18f7761c1ffc9d0157b4a680b40d8f59eee44fa47a1c613dd90b3d053537b34`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.