Xls.Dropper.Agent-7915749-0 Office (OOXML) / .XLSM malware analysis — malicious · cc8fd2dddf219a22

MALICIOUS

Office (OOXML) / .XLSM

63.1 KB Created: 2020-05-27 09:14:17 UTC Authoring application: Microsoft Excel 16.0300

MD5: 0bbf25412b4dc63e5bb137d0ed782a93 SHA-1: 150de11c2e42512329c1baa30b2e40a5d397a7d3 SHA-256: cc8fd2dddf219a22e108fc0aa92f08279c60b1919da54b6ddd8f328d1ce3ec0e

320 Risk Score

Malware Insights

Xls.Dropper.Agent-7915749-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

This XLSM file contains VBA macros that utilize WScript.Shell and the Shell() function to execute commands. The ClamAV detection 'Xls.Dropper.Agent-7915749-0' and the heuristic firings strongly indicate that the macros are designed to download and execute a second-stage payload. The embedded artifact 'macros.bas' likely contains the malicious script. The presence of an embedded URL, though not explicitly detailed, further supports the dropper functionality.

Heuristics 7

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Xls.Dropper.Agent-7915749-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7915749-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `50e689e6226f508ed9641fffbda69dde5579eb92f3a35ed86c8124516e5ad3c1`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1134 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).
`vbaProject_00.bin` `473343922b138679c021fb94a1444c9b9ff2c744a40dcc4361260651965d985c`	vba-project	OOXML VBA project: xl/vbaProject.bin	10752 bytes
Detection ClamAV: Xls.Dropper.Agent-7915749-0 Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).
`emf_00.emf` `76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.