XF.Classic — Office (OLE) malware analysis

Static analysis result for SHA-256 07b58d1c79530e91…

MALICIOUS

Office (OLE)

38.5 KB Created: 2013-11-04 02:39:19 Authoring application: Microsoft Excel First seen: 2015-02-05
MD5: d4359a78793df37f8f189a8c7f7f8801 SHA-1: 0e2ec6a6a34d5726e449ccb2e9b3683bf5117de7 SHA-256: 07b58d1c79530e91ee97df610adcdf32ea314a225aa0ca12420d19f6ff4596bd
80 Risk Score

Malware Insights

XF.Classic · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' and the presence of XLM macro sheet markers indicate the use of a legacy Excel macro virus. The document body explicitly mentions 'Excel Formula Macro Virus (XF.Classic)' and 'Poppy by VicodinES', suggesting the family and its origin. The script's intent appears to be infecting other workbooks and potentially delivering a payload, as indicated by phrases like 'Infect Workbook' and 'Simple Payload'.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.