Xls.Dropper.Agent-8075801-0 Office (OOXML) / .XLSM malware analysis — malicious · e894ace959ac95fd

MALICIOUS

Office (OOXML) / .XLSM

62.8 KB Created: 2020-06-08 09:49:47 UTC Authoring application: 16.0300

MD5: a6463920a67e8e7552f23e16c4c4571b SHA-1: 6edd3af0be2d84ede64ed9b0bf9f0317df6f742a SHA-256: e894ace959ac95fda393105d2905b0668ad93781c04be83f9f41fdf38edc1cbc

320 Risk Score

Malware Insights

Xls.Dropper.Agent-8075801-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

This XLSM file contains VBA macros that utilize WScript.Shell and the Shell() function to execute commands. The ClamAV detection 'Xls.Dropper.Agent-8075801-0' strongly suggests this macro is designed to download and execute a second-stage payload. The presence of embedded VBA macros and the specific ClamAV signature indicate a dropper functionality.

Heuristics 7

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Xls.Dropper.Agent-8075801-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-8075801-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6733b438f226329c4acecb44fc970a6e52d7e449aa0d33d03a87c444a8676b62`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1019 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).
`vbaProject_00.bin` `fdc14df41d328706c77bb4892fb8f789da8f050f9e0e41ad221675ef257f66b8`	vba-project	OOXML VBA project: xl/vbaProject.bin	15360 bytes
Detection ClamAV: Xls.Dropper.Agent-8075801-0 Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).
`emf_00.emf` `7662b9566e5b6268237939d70430c3c63587ce1f24b006f3e9ac5aa87ce327cd`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	3420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.