Xls.Dropper.Agent-7079703-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 b65dc3c569473895…

MALICIOUS

Office (OLE)

956.2 KB Created: 2003-07-13 10:04:24 Authoring application: Microsoft Excel First seen: 2019-05-16
MD5: d4fcd031be8a3a966ccbbed793f45166 SHA-1: 28f2224e42ae49ad01ace92a5bb31cd3f3620702 SHA-256: b65dc3c5694738954fabc880825ee08839414281564082b31ff216388a93cfb2
602 Risk Score

Malware Insights

Xls.Dropper.Agent-7079703-0 · confidence 95%

MITRE ATT&CK
T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel document identified by ClamAV as 'Xls.Dropper.Agent-7079703-0'. It contains multiple embedded PE executables and OLE objects, indicating a dropper functionality. Heuristics for CreateProcess, ShellExecute, and URLDownloadToFile suggest the file's intent is to download and execute additional malicious content. The presence of embedded executables strongly supports this dropper behavior.

Heuristics 14

  • ClamAV: Win.Trojan.Agent-6943819-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-6943819-1
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 979,194 bytes but its declared streams total only 12,288 bytes — 966,906 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In document text (OLE body)
    • http://crl.verisign.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • http://crl.verisign.com/tss-ca.crl0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In document text (OLE body)
    • http://office.microsoft.comIn document text (OLE body)

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000660a.exe embedded-pe Office MZ+PE at offset 0x660A 953072 bytes
SHA-256: 9aebaa6f26fc87e3a084e5b22a0375d6880b7728cfcd3824c9e516e448b4de0a
Detection
ClamAV: Win.Trojan.Agent-6943819-1
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_off00003605.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x3605 965365 bytes
SHA-256: 904069996d64a2d51887c3591d4398b99a2150e261ec79c08c5ac33e0dcb8d0e
Detection
ClamAV: Win.Trojan.Agent-6943819-1
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_off00006480.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x6480 953466 bytes
SHA-256: fabbb7c13d445e0512c091d2adc0c2114f9ebe2ee650dd9e3a1490dd5a528ace
Detection
ClamAV: Win.Trojan.Agent-6943819-1
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_0000660a_1.exe embedded-pe Office MZ+PE at offset 0x660A 623237 bytes
SHA-256: fe84cec27f11cc863f02d0723857be5db510d30685c6d8a69cdbede97c90a2fb
Detection
ClamAV: Win.Trojan.Agent-6943819-1
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_off0005086b.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5086B 649359 bytes
SHA-256: a96aae7b04ed4b2bdb11a820a158e85ce69384305ecf09fa6b0b2046d12a2607
Detection
ClamAV: Win.Trojan.Agent-6943819-1
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_off00053e70.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x53E70 635530 bytes
SHA-256: 881ca3c60899e9daf3d06e89b5fe0f75f191867db0541b0d5345bdfb369fadb6
Detection
ClamAV: Win.Trojan.Agent-6943819-1
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln