Office (OLE) / .XLS malware analysis — malicious · 19cb662885a1e438

MALICIOUS

Office (OLE) / .XLS

502.0 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: 45c35fc6b7968d3271357b4b194bcbe3 SHA-1: be79f8fc7b37be52770857df6133b44d4d7edef1 SHA-256: 19cb662885a1e43890827787f0e3398672ec2daea30d0407f0b43538c4b42cbb

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel spreadsheet containing text that strongly suggests an advance-fee scam, referencing lottery winnings and financial drafts. Heuristics confirm this, identifying it as a classic advance-fee fraud document shape and a legacy Excel formula macro virus. The document body also contains references to 'Poppy by VicodinES' and 'The Narkotic Network', indicating it's a known legacy macro virus. The script attempts to infect other workbooks and save them as 'Book1.xls' in the Excel startup directory, likely to establish persistence or spread.

Heuristics 2

Legacy Excel formula macro virus marker high OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.

Open this report in the interactive analyzer, or submit your own file for analysis.