MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059 Command and Scripting Interpreter
T1059.005 Visual Basic
The critical heuristic OLE_XLS_FORMULA_MACRO_VIRUS indicates the presence of legacy Excel formula macros, specifically mentioning markers associated with older malware like 'Poppy by VicodinES' and 'Narkotic Network'. The OLE_XLM_AUTOOPEN heuristic further confirms the use of Excel 4.0 macros. These findings strongly suggest the file is designed to execute malicious code via these legacy macro capabilities.
Heuristics 3
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_off00006800.ole6a13b10dd74f33aa28ec843902d21f396738dc0b9944f9e688e8fbb06570a669 |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x6800 | 1412608 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.