Xls.Dropper.Agent-5967844-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 adac63264f602fd9…

MALICIOUS

Office (OLE)

124.5 KB Created: 2005-12-27 14:30:05 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: d6025910ef47304ffa8b655e8e765392 SHA-1: 30ed3aeab5a13f144ecda4392ff7338e18da1fb7 SHA-256: adac63264f602fd9f73e3488fed6d72c7a69e6a8183e0b582ec62d8e4a605844
622 Risk Score

Malware Insights

Xls.Dropper.Agent-5967844-0 · confidence 95%

MITRE ATT&CK
T1105 Ingress Tool Transfer T1204.002 Malicious File T1059.001 PowerShell

The sample is an Excel document containing embedded shellcode that references ShellExecute, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread APIs, indicating it is designed to download and execute a secondary payload. The embedded PE executable and ClamAV detections further confirm its malicious nature. The document body contains obfuscated text and an embedded URL, suggesting a lure or command and control channel.

Heuristics 14

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Xls.Dropper.Agent-5967844-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-5967844-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • XOR-encoded strings (key 0x55) critical SC_XOR_ENCODED
    Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0x55: 'kernel32.dll', 'shell32.dll', 'LoadLibraryA', 'GetProcAddress', 'URLDownloadToFileA', 'ShellExecuteA'
    Disassembly
    x86 disassembly · validity: code (0.713) — 1/2 branch targets land on an instruction boundary (50% coherence)
    00005C7C  3e3027            xor byte ptr ds:[edi], ah
00005C7F  3b30              cmp esi, dword ptr [eax]
00005C81  396667            cmp dword ptr [esi + 0x67], esp
00005C84  7b31              jnp 0x5cb7
00005C86  3939              cmp dword ptr [ecx], edi
00005C88  55                push ebp
00005C89  3926              cmp dword ptr [esi], esp
00005C8B  2127              and dword ptr [edi], esp
00005C8D  3930              cmp dword ptr [eax], esi
00005C8F  3b1455102d3c21    cmp edx, dword ptr [edx*2 + 0x213c2d10]
00005C96  05273a3630        add eax, 0x30363a27
00005C9B  262600558b        add byte ptr es:[ebp - 0x75], dl
00005CA0  ec                in al, dx
00005CA1  83c4fc            add esp, -4
00005CA4  53                push ebx
00005CA5  57                push edi
00005CA6  56                push esi
00005CA7  e800000000        call 0x5cac
00005CAC  5b                pop ebx
00005CAD  81ebac124000      sub ebx, 0x4012ac
00005CB3  56                push esi
00005CB4  8d8b92124000      lea ecx, [ebx + 0x401292]
00005CBA  8db320104000      lea esi, [ebx + 0x401020]
00005CC0  2bce              sub ecx, esi
00005CC2  83c10b            add ecx, 0xb
00005CC5  8b4431ff          mov eax, dword ptr [ecx + esi - 1]
00005CC9  83f055            xor eax, 0x55
00005CCC  894431ff          mov dword ptr [ecx + esi - 1], eax
00005CD0  e2f3              loop 0x5cc5
00005CD2  5e                pop esi
00005CD3  8d832d124000      lea eax, [ebx + 0x40122d]
00005CD9  50                push eax
00005CDA  ff                .byte 0xff
00005CDB  93                xchg ebx, eax
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
    Disassembly
    x86 disassembly · validity: code (0.984) — 3/3 branch targets land on an instruction boundary (100% coherence)
    00005CA7  e800000000        call 0x5cac
00005CAC  5b                pop ebx
00005CAD  81ebac124000      sub ebx, 0x4012ac
00005CB3  56                push esi
00005CB4  8d8b92124000      lea ecx, [ebx + 0x401292]
00005CBA  8db320104000      lea esi, [ebx + 0x401020]
00005CC0  2bce              sub ecx, esi
00005CC2  83c10b            add ecx, 0xb
00005CC5  8b4431ff          mov eax, dword ptr [ecx + esi - 1]
00005CC9  83f055            xor eax, 0x55
00005CCC  894431ff          mov dword ptr [ecx + esi - 1], eax
00005CD0  e2f3              loop 0x5cc5
00005CD2  5e                pop esi
00005CD3  8d832d124000      lea eax, [ebx + 0x40122d]
00005CD9  50                push eax
00005CDA  ff9300104000      call dword ptr [ebx + 0x401000]
00005CE0  8945fc            mov dword ptr [ebp - 4], eax
00005CE3  8d8338124000      lea eax, [ebx + 0x401238]
00005CE9  50                push eax
00005CEA  ff75fc            push dword ptr [ebp - 4]
00005CED  ff9304104000      call dword ptr [ebx + 0x401004]
00005CF3  898310104000      mov dword ptr [ebx + 0x401010], eax
00005CF9  8d834b124000      lea eax, [ebx + 0x40124b]
00005CFF  50                push eax
00005D00  ff9308104000      call dword ptr [ebx + 0x401008]
00005D06  89                .byte 0x89
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x4B bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'dec' is 100% of instructions — a sled or padding/filler run, not program logic).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://longdiy.myrice.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00005600.exe embedded-pe Office MZ+PE at offset 0x5600 105472 bytes
SHA-256: e9d93bf8cce518b79859c13976707ebc850f0f5aab40dfbceeee8864d94d4927
Detection
ClamAV: Win.Downloader.Small-1141
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_SHELLEXEC, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: shell32.dll, GetProcAddress, VirtualAlloc, VirtualAllocEx, ExitProcess, CreateFileA

Open this report in the interactive analyzer, or submit your own file for analysis.