Office (OLE) malware analysis — malicious · 3e49570eafa6f3b6

MALICIOUS

Office (OLE)

161.0 KB Created: 2014-04-24 00:39:17 Authoring application: org.in2bits.MyXls First seen: 2014-12-08

MD5: 4e13d48b2d24e5577ca507db38222145 SHA-1: b0bc19a427a2ac6cbda6ebb87b9d796f95216826 SHA-256: 3e49570eafa6f3b6bd18cf3cc725f9924ac5e89a7efa537627f46294301fe2df

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as malicious due to the presence of an Excel 4.0 macro, indicated by the OLE_XLM_AUTOOPEN and OLE_XLS_FORMULA_MACRO_VIRUS heuristics. The macro sheet contains markers and strings associated with legacy Excel macro viruses, including 'Classic.Poppy by VicodinES' and 'The Narkotic Network 1998'. The document body, despite appearing as party member data, contains embedded strings and comments that reveal the macro's intent to infect other workbooks and potentially download a payload, as suggested by the 'Simple Payload' and 'Hydrocodone/APAP 10-650 For Your Computer' strings.

Heuristics 3

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://sourceforge.net/myxls In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.