Xls.Dropper.Agent-7688247-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 fa4f6885faa907f8…

MALICIOUS

Office (OLE)

55.0 KB Created: 2020-04-23 23:00:38 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: d91a0f3ac97f6ad27f89e8982272654c SHA-1: d833629e03670f82eff76d41abce8c5195cc9395 SHA-256: fa4f6885faa907f83be3ed8cab6cd5541768902dee7e7cc303e676b804b07b9d
120 Risk Score

Malware Insights

Xls.Dropper.Agent-7688247-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as an encrypted Excel 4.0 macro sheet, a common technique for delivering malicious payloads. The presence of XLM macros and the ClamAV detection name 'Xls.Dropper.Agent-7688247-0' strongly suggest its function as a dropper. The encrypted nature of the macro sheet indicates an attempt to obfuscate its malicious behavior.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-7688247-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7688247-0
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.