Malicious Office (OLE) / .VN — malware analysis report

Static analysis result for SHA-256 06928c2e085fdc5f…

MALICIOUS

Office (OLE) / .VN

46.0 KB Created: 2010-01-20 03:53:33 Authoring application: Microsoft Excel
MD5: b620b11a327ff3c9d29377c703ff40ca SHA-1: 01f210b30429b417bf6122ceabeb96a8a868fcde SHA-256: 06928c2e085fdc5f199f7525561fe615e67275025973ee31e78a19a786742e1e
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is a legacy method for executing code upon opening the workbook. Heuristics indicate the use of dangerous functions like RUN, suggesting the macro is designed to execute arbitrary code. The presence of the 'XL4Poppy' string and the 'Poppy by VicodinES' marker in the heuristics strongly suggests this macro is part of a known malware family, though specific attribution is not possible from the provided data. The macro likely downloads and executes a second-stage payload.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
10c5f2bf24b1ab45c6743036bec0d8f3eee9b49d0cdc00c96ddb0dddf0ba85be		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 49399 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.