Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 28d9d974d012d0d5…

MALICIOUS

Office (OLE)

67.5 KB Created: 2003-12-31 08:46:19 Authoring application: Microsoft Excel First seen: 2015-09-30
MD5: 97f1881e087b4422c76bef1e91ca0c20 SHA-1: 62072b4aae3264e25be1d029d9c900a5bb7c3ae3 SHA-256: 28d9d974d012d0d527d8698c0a18bfc7701916db50da228c913519f1d35430aa
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as a legacy Excel formula macro virus, specifically 'Poppy by VicodinES' and 'The Narkotic Network'. The document body contains what appears to be a financial report template, but also includes embedded text related to the virus, such as 'Classic.Poppy by VicodinES' and 'Hydrocodone/APAP 10-650 For Your Computer'. This suggests the file is designed to exploit older macro vulnerabilities in Excel to deliver a payload.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.