Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 1c68336499955531…

MALICIOUS

Office (OLE) / .XLS

629.5 KB Created: 1999-03-12 07:08:30 Authoring application: Microsoft Excel
MD5: b838063f0c051dcd27527c996dfc3c50 SHA-1: a2800c1e901072a4f03ebfa03134313af58c8681 SHA-256: 1c6833649995553179b28afa368f59d3a4bd4ff61839369c70b42a563da0da97
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The file is an Excel spreadsheet containing embedded macro virus markers, specifically identifying it as a 'Classic.Poppy' variant from 'The Narkotic Network 1998'. The document body contains text that appears to be a mix of Vietnamese financial forms and English strings related to macro virus infection, including paths like 'C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\xlstart\ÿÿÿÿÿ.xls'. This suggests the document is designed to spread a legacy Excel macro virus.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Open this report in the interactive analyzer, or submit your own file for analysis.