Xls.Dropper.Agent-7639385-0 Office (OOXML) / .XLSX malware analysis — malicious · d4f6bd3c3e96a5a1

MALICIOUS

Office (OOXML) / .XLSX

71.0 KB Created: 2020-03-21 15:56:20 UTC Authoring application: 16.0300

MD5: 7b2ad1390d4b7c0b445a70d311f29d05 SHA-1: 58df52cf85765752cce999245e74c3bde6328d0a SHA-256: d4f6bd3c3e96a5a1ab8ee617e8d43814a00a4ec3db1e24bfd7adb3cbc7901789

268 Risk Score

Malware Insights

Xls.Dropper.Agent-7639385-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an OOXML XLSX file containing VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening. ClamAV signatures confirm this is a known dropper agent. No specific URLs or executable payloads were directly extracted, but the presence of obfuscated VBA and auto-execution heuristics strongly indicates a payload delivery mechanism.

Heuristics 8

ClamAV: Xls.Dropper.Agent-7639385-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7639385-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
- http://schemas.microsoft.com/office/spreadsheetml/2014/revision
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0de5ac0167c1d331be72e2a883544896ba272cf941a90da15d37177124115515`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	9193 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 223 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
`vbaProject_00.bin` `9e1a42ea2fb9dc3214c0ac2846f44d369e3a99e0d9b2b033b1226192bab17804`	vba-project	OOXML VBA project: xl/vbaProject.bin	291328 bytes
Detection ClamAV: Xls.Dropper.Agent-7639385-0 Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.