Xls.Dropper.Agent-7623155-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 f67da0a00b2b672b…

MALICIOUS

Office (OLE)

120.3 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel First seen: 2013-03-20
MD5: 3952df5f4d610ff70e3d9926e47b0618 SHA-1: ba3ff49135d5ccdff4b61e35add1b0a18fa1eb32 SHA-256: f67da0a00b2b672bdc70895ea03db3afda446d47c92d48a4d43258c548d1bcc4
324 Risk Score

Malware Insights

Xls.Dropper.Agent-7623155-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-7623155-0. Static analysis reveals suspicious API calls such as WinExec, CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, indicating an attempt to execute code. The presence of VBA macros, though not containing executable statements directly, suggests a potential for dynamic execution or exploitation. The embedded URLs, while mostly benign, are part of the overall context of a dropper.

Heuristics 10

  • ClamAV: Xls.Dropper.Agent-7623155-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7623155-0
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 123,144 bytes but its declared streams total only 42,689 bytes — 80,455 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In document text (OLE body)
    • http://investor.msn.com/external/excel/quotes.asp?SYMBOL=[In document text (OLE body)
    • http://crl.verisign.com/tss-ca.crl0In document text (OLE body)
    • http://crl.verisign.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • https://www.verisign.com/rpaIn document text (OLE body)
    • https://www.verisign.com/rpa01In document text (OLE body)
    • http://crl.verisign.com/pca3.crl0In document text (OLE body)
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DIn document text (OLE body)
    • https://www.verisign.com/rpa0In document text (OLE body)
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 684 bytes
SHA-256: 73fe284b1e885bd0405ecb421b1224021163ce4aa3bca30e5a2deb64f9916b3c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "SystemMonitor1, 10, 0, SystemMonitor, SystemMonitor"