MALICIOUS
602
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is an Excel document identified by ClamAV as 'Xls.Dropper.Agent-7079703-0'. It contains multiple embedded PE executables and OLE objects, indicating a dropper functionality. Heuristics for CreateProcess, ShellExecute, and URLDownloadToFile suggest the file's intent is to download and execute additional malicious content. The presence of embedded executables strongly supports this dropper behavior.
Heuristics 14
-
ClamAV: Win.Trojan.Agent-6943819-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Agent-6943819-1
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 647,349 bytes but its declared streams total only 12,288 bytes — 635,061 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.verisign.com0 In document text (OLE body)
- http://crl.verisign.com/ThawteTimestampingCA.crl0In document text (OLE body)
- http://crl.verisign.com/tss-ca.crl0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn document text (OLE body)
- http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In document text (OLE body)
- http://office.microsoft.comIn document text (OLE body)
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0000660a.exe |
embedded-pe | Office MZ+PE at offset 0x660A | 621227 bytes |
SHA-256: c4dc59d4e9b4622b4a2c8083538a2e0ee49c4cefc098427bcaf3aff723167d6e |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-6943819-1
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_off00003605.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x3605 | 633520 bytes |
SHA-256: c9e5c5ccfda127dd2649a6f6d7cc3904038d5cc1b172d765b9f28066524ec8d4 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-6943819-1
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_off00006480.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x6480 | 621621 bytes |
SHA-256: 17c4f4bd23584f8ee98dd7a43a62349bdf0340388a1814251eb1149298b08bba |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-6943819-1
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_0000660a_1.exe |
embedded-pe | Office MZ+PE at offset 0x660A | 291392 bytes |
SHA-256: 485f6bddb21c173f6ce411ee05123a5ed66617553cfd30dc6ca583949e240ce0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_off0005086b.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x5086B | 317514 bytes |
SHA-256: 897c8c0338c310400a152e5b5563a8bdc6341b790137f6d8ecf1cab82d247c47 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_off00053e70.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x53E70 | 303685 bytes |
SHA-256: fc0cb29b9274199a4f6580d713de05a15a214b6e96aef352ce276d17a2621e57 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.