Xls.Dropper.Agent-7370611-0 Office (OLE) malware analysis — malicious · 931cbb463ef1754c

MALICIOUS

Office (OLE)

204.5 KB First seen: 2015-09-19

MD5: 21b28135253eae4b8377b5ce670ad790 SHA-1: cbc0dab2a4b360fdb567cc39a386adf1d6d71767 SHA-256: 931cbb463ef1754c14ae5606edf4232044d2ce949ddd717cf7e31a759387cda8

148 Risk Score

Malware Insights

Xls.Dropper.Agent-7370611-0 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is detected as malicious by ClamAV with the signature Xls.Dropper.Agent-7370611-0. Heuristics indicate an OLE document with an appended executable payload and a large slack space, suggesting it's designed to hide malicious content. Although the VBA macros themselves contain no executable statements, the overall structure and appended payload strongly suggest a dropper functionality, likely delivered via spearphishing.

Heuristics 4

ClamAV: Xls.Dropper.Agent-7370611-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7370611-0
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 209,456 bytes but its declared streams total only 117,220 bytes — 92,236 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 671 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	671 bytes
SHA-256: `11993efa3cba2fc6c51e24c164f8f6ee10667f9dc6a11024b0790cb1a63a4c71`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ListView2, 1, 1, MSComctlLib, ListView" Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 11993efa3cba2fc6c51e24c164f8f6ee10667f9dc6a11024b0790cb1a63a4c71

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ListView2, 1, 1, MSComctlLib, ListView"

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.