Xls.Dropper.Agent-7079703-0 Office (OLE) malware analysis — malicious · c35fbcf99c41cc78

MALICIOUS

Office (OLE)

958.2 KB Created: 2003-07-13 10:04:24 Authoring application: Microsoft Excel First seen: 2019-12-09

MD5: 9533f69a5c3cca67fab66042c6e87005 SHA-1: 630c6de9e7f63bdedd73d114d3e9e5dc69727b46 SHA-256: c35fbcf99c41cc7872e4302b0674b288c089963bd46ae48a7885cd8b4ee9f5d7

602 Risk Score

Malware Insights

Xls.Dropper.Agent-7079703-0 · confidence 95%

MITRE ATT&CK

T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel document identified by ClamAV as 'Xls.Dropper.Agent-7079703-0'. It contains multiple embedded PE executables and OLE objects, indicating a dropper functionality. Heuristics for CreateProcess, ShellExecute, and URLDownloadToFile suggest the file's intent is to download and execute additional malicious content. The presence of embedded executables strongly supports this dropper behavior.

Heuristics 14

ClamAV: Win.Trojan.Agent-6943819-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-6943819-1
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE

A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 981,216 bytes but its declared streams total only 12,288 bytes — 968,928 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS

The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ocsp.verisign.com0 In document text (OLE body)
- http://crl.verisign.com/ThawteTimestampingCA.crl0In document text (OLE body)
- http://crl.verisign.com/tss-ca.crl0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn document text (OLE body)
- http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In document text (OLE body)
- http://office.microsoft.comIn document text (OLE body)

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000660a.exe`	embedded-pe	Office MZ+PE at offset 0x660A	955094 bytes
SHA-256: `0aa1cceb22f8d7c1e6f5a4392de29ba9caa14155ad4aba23a8fdc25b9bedb27d`
Detection ClamAV: Win.Trojan.Agent-6943819-1 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): cmdln
`embedded_office_off00003605.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x3605	967387 bytes
SHA-256: `70e42d3770b6a730c9c09e78620c7770ef5fae8b409aa82905a0ca1f47d283d8`
Detection ClamAV: Win.Trojan.Agent-6943819-1 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): cmdln
`embedded_office_off00006480.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x6480	955488 bytes
SHA-256: `6ad9b3319f9cc16525cbdf095dc50e4de3acf4c52415bfd43e886582140e7b12`
Detection ClamAV: Win.Trojan.Agent-6943819-1 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): cmdln
`embedded_office_0000660a_1.exe`	embedded-pe	Office MZ+PE at offset 0x660A	623166 bytes
SHA-256: `00d4cc2f3df63f1a51eeb054ab33f7cf2ebcfbfbb8d117e02a365c9eb10e0334`
Detection ClamAV: Win.Trojan.Agent-6943819-1 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): cmdln
`embedded_office_off00051098.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x51098	649288 bytes
SHA-256: `ae1e19502ac73814ae419c7de96218226a1708f1febcbccbb041ea726afbdc53`
Detection ClamAV: Win.Trojan.Agent-6943819-1 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): cmdln
`embedded_office_off0005469d.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x5469D	635459 bytes
SHA-256: `107fab7e0c3328251da208164c2aa5740ea8edb108f22d7e8487621345e148bd`
Detection ClamAV: Win.Trojan.Agent-6943819-1 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): cmdln

Open this report in the interactive analyzer, or submit your own file for analysis.