Xls.Dropper.Agent-7633704-0 Office (OOXML) / .XLSX malware analysis — malicious · f8f89535dd95260c

MALICIOUS

Office (OOXML) / .XLSX

388.9 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300

MD5: b117106e2dfba4ba924274aeea50f789 SHA-1: 76bb034d2e6cfe4ae6a585626cccc535b4a3c18c SHA-256: f8f89535dd95260ce451b482a3927c05717e02b072db08f91e9c1b1d61e2ae12

222 Risk Score

Malware Insights

Xls.Dropper.Agent-7633704-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified by ClamAV as Xls.Dropper.Agent-7633704-0, indicating it functions as a dropper. Heuristics confirm the presence of VBA macros, specifically noting CreateObject and CallByName calls, which are commonly used for executing malicious code. No document body text was available for analysis, but the presence of VBA macros and the ClamAV detection strongly suggest the file's intent is to download and execute a secondary payload.

Heuristics 6

ClamAV: Xls.Dropper.Agent-7633704-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7633704-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c482702f7d8d40522d8e8c818571563f742231fd297ed904f6c92c5110281d49`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3784 bytes
`vbaProject_00.bin` `9497ab22b6d165847ec059d354a69792600dcd41090e7f652a630f901add7040`	vba-project	OOXML VBA project: xl/vbaProject.bin	386048 bytes
Detection ClamAV: Xls.Dropper.Agent-7633704-0 Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`emf_00.emf` `3c140dae60187f9aed0032a882e3170c1439f3099f9312fd3b47c41883066d5b`	ooxml-emf	OOXML EMF part: xl/media/image5.emf	1272 bytes
`emf_01.emf` `ecd7a9400b6ff11ef1cb9c0104990b9b394842d515cfe2a52d837c545ac74a5b`	ooxml-emf	OOXML EMF part: xl/media/image6.emf	1272 bytes
`emf_02.emf` `590e7d3729467c06e3eea299b2a7ea2e6a9b2cfd402b1882c6de5abef68edfe5`	ooxml-emf	OOXML EMF part: xl/media/image7.emf	1272 bytes
`emf_03.emf` `8d48cc789533c4117cbddfbde01112daa00bec1fd07b3dc8356661f8a2a687af`	ooxml-emf	OOXML EMF part: xl/media/image4.emf	6120 bytes
`emf_04.emf` `fd98394bc27622290d00b36960ce94295da097d3c24a3849dba5d16975c6b2df`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1868 bytes
`emf_05.emf` `763b992658dac391bf8886f53e454088707d80f8cc7727c425b77674e07f52d3`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	1272 bytes
`emf_06.emf` `62a016875789c0bae8a5c5606738813963b54709987eca3a8a30e04980daaf92`	ooxml-emf	OOXML EMF part: xl/media/image3.emf	1334084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.