Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1c4bb08099ec38c8…

MALICIOUS

Office (OLE)

150.5 KB Created: 2006-09-13 11:21:51 Authoring application: WPS Office 2009 רҵ°æ First seen: 2015-02-17
MD5: 5b89552344c058963cb5d57d12860b67 SHA-1: 6d9cb9b6b015448453981acf501d3b7529aa1a9f SHA-256: 1c4bb08099ec38c85ec696d6ef82a15c94acdfd52efc82e6730b3e5cb8f08ca1
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy Excel 4.0 (XLM) macros, indicated by critical heuristic firings related to 'Excel Formula Macro Virus' and specific markers like 'Poppy by VicodinES' and 'The Narkotic Network'. These macros are designed to infect other workbooks and likely facilitate financial fraud or data exfiltration, as suggested by the document body's references to financial details and customer information.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.