Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1e38ffa615673c9a…

MALICIOUS

Office (OLE)

153.0 KB Created: 2009-10-23 07:47:19 Authoring application: Microsoft Excel First seen: 2015-09-29
MD5: a1939ada3d8071c0291b7cabadcfd860 SHA-1: eb83d8cd3e58ad490b1ea2e95a4c6fd32ed4fda1 SHA-256: 1e38ffa615673c9a5450dcb1fffe7219a21cb4f2c140f64b62646171c3c710e9
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium heuristic 'OLE_XLM_AUTOOPEN' indicate the presence of legacy Excel formula macros, specifically identified as 'XF.Classic' and 'Poppy by VicodinES'. The document body contains strings related to these macros, including 'An Excel Formula Macro Virus (XF.Classic)' and 'Hydrocodone/APAP 10-650 For Your Computer', suggesting a malicious intent to infect or deliver a payload. The macro appears to infect other workbooks and save them as 'Book1.xls'.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.