Office (OLE) malware analysis — malicious · 38c1baf894b83d9b

MALICIOUS

Office (OLE)

1.34 MB Created: 2009-12-25 01:34:40 Authoring application: Microsoft Excel

MD5: 5e9e00213ae7d9a89ba2fa1132ad94f5 SHA-1: 8a720ec37cb446433b6f618b27b3452500534629 SHA-256: 38c1baf894b83d9bc72c1af7c5d82a211254948955d2c060f292bdd6f66a97a2

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains legacy Excel 4.0 macros, specifically identified as 'XLM_AUTOOPEN' and 'XLS_FORMULA_MACRO_VIRUS'. The document body mentions 'Classic.Poppy by VicodinES' and 'The Narkotic Network 1998', suggesting it's a variant of the Poppy macro virus. The macro appears to infect other workbooks and save them as 'Book1.xls' in the Excel startup directory, indicating a potential for propagation and execution upon Excel startup.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.