Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2bf87c9886554b4b…

MALICIOUS

Office (OLE)

954.0 KB Created: 2007-05-11 14:57:41 Authoring application: Microsoft Excel First seen: 2015-06-23
MD5: e803a635df11a61e05a648a63c3efccc SHA-1: db8d8fd05e55e0f5e495ffe1e1910e121e9c0399 SHA-256: 2bf87c9886554b4b183b07620930a71009c87457d80a20afe8f4181b792a6396
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic firing for 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium firing for 'OLE_XLM_AUTOOPEN' indicate the presence of legacy Excel 4.0 macros. The heuristic details mention 'Poppy by VicodinES' and 'Narkotic Network', suggesting a known malicious macro variant. The document body contains strings that are likely part of the macro's obfuscation or payload, including 'XL4Poppy'. The primary function of these macros is likely to execute arbitrary code, potentially leading to the download and execution of further malicious content.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.