Xls.Dropper.Agent-8803805-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 8abdbf421fc16156…

MALICIOUS

Office (OLE)

921.0 KB Created: 2020-07-07 10:47:28 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: 9a26b8572be87c40cf75cf23e3727776 SHA-1: 3d98c3ea2a780202ee8d5d487633dadf32cac5c1 SHA-256: 8abdbf421fc1615635bd9088af865634164f6d8173b127ad83ff1494e54a6b50
120 Risk Score

Malware Insights

Xls.Dropper.Agent-8803805-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV detection and the presence of an encrypted Excel 4.0 macro sheet strongly indicate malicious intent. The macro sheet likely contains code to download and execute a secondary payload, as suggested by the 'Dropper' classification in the ClamAV signature. The file's structure and detection name point to a common malware distribution technique.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-8803805-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8803805-0
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.