Xls.Dropper.Agent-7690074-0 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 f41d531cb5772db6…

MALICIOUS

Office (OLE) / .XLS

60.5 KB Created: 2020-04-24 06:37:02 Authoring application: Microsoft Excel
MD5: 1864191318b32368464f6a5afc0edcc3 SHA-1: ee7dcc1ad4ebdde417364740b5043654f92532c2 SHA-256: f41d531cb5772db6fe63e8678280e73b0f98750bfbf9b781537d64f55758263f
120 Risk Score

Malware Insights

Xls.Dropper.Agent-7690074-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The critical ClamAV detection and high heuristic firing for an encrypted Excel 4.0 macro sheet indicate a malicious dropper. The presence of an 'autoopen' macro suggests an attempt to automatically execute malicious code upon opening. The encrypted nature of the macro sheet further supports its malicious intent, likely to obscure the payload delivery mechanism.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-7690074-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7690074-0
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.