Office (OLE) malware analysis — malicious · 295e423d91f162e5

MALICIOUS

Office (OLE)

180.0 KB Created: 2014-05-14 09:06:42 Authoring application: Microsoft Excel First seen: 2015-09-30

MD5: 886edffab3f764cc82f032e230c5fb20 SHA-1: 914549f1eeff370619e25448189560f2225dfcb3 SHA-256: 295e423d91f162e504512f0f337a048a6138bf2afcecc051663f096e83f98d39

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel Formula Macro Virus, specifically mentioning 'Poppy by VicodinES' and 'Narkotic Network'. This strongly suggests the use of Excel 4.0 (XLM) macros, which are often used to download and execute further stages of malware. The document body contains what appears to be academic course information, likely a lure to disguise the malicious macro functionality.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.