Office (OLE) / .XLSX malware analysis — malicious · 23355ae53d80e28c

MALICIOUS

Office (OLE) / .XLSX

526.0 KB Created: 2002-10-28 07:04:54 Authoring application: Microsoft Excel

MD5: f1ad7383d09b0e8e3da0a555a2fba0c5 SHA-1: 587cab468ae1d58d627c16dacb1705fa05998b35 SHA-256: 23355ae53d80e28c898419595909cb4757f3a9b897e57515c1870b3106166cd7

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Service Execution: Visual Basic

The sample contains critical heuristic firings indicating the presence of legacy Excel 4.0 macros, specifically identified as 'Excel Formula Macro Virus' and associated with 'Poppy by VicodinES' and 'Narkotic Network'. The document body contains what appears to be a list of telecommunications equipment and locations, suggesting a potential lure or distraction. The macro sheet itself is hidden and likely contains code to execute malicious actions, although the specific payload is not detailed in the provided evidence.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `8cbde3e612c975ef1b462ddb9c4a15b6f08d21578b14d37e205d63de38cba9e1`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	82117 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.