Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1e91f542c8e5df1d…

MALICIOUS

Office (OLE)

37.5 KB Created: 2008-12-12 09:56:27 Authoring application: Microsoft Excel First seen: 2015-01-04
MD5: b89a1e1c1e51e0425abbc0b03f1f1557 SHA-1: afae258588ea9add5b27a8cc6826d836cc2eb0a2 SHA-256: 1e91f542c8e5df1d13844e3797bd6b0e63d3f3c87ac47cf3ea96c3eaf943f1b7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as a legacy Excel formula macro virus, specifically 'Poppy' or 'XF.Classic', as indicated by the critical heuristic firing. The document body contains strings related to this virus, including its name, creator ('The Narkotic Network 1998'), and a path that suggests it attempts to infect the Excel startup directory. This indicates a clear intent to spread and potentially execute malicious code through Excel macros.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.