Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 41a8b5209f1ca2ce…

MALICIOUS

Office (OLE) / .XLS

383.0 KB Created: 2002-02-01 19:41:46 Authoring application: Microsoft Excel
MD5: bdb9a6624acc8a67e93557f11db8d29c SHA-1: 1f80c6d236adfabbeaefba69334d2748091708a4 SHA-256: 41a8b5209f1ca2ced42670e3e96ae9b4734734e05bdff44d42a69a667e363951
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' indicates this is a legacy Excel macro virus, specifically identified as 'XF.Classic' and 'Poppy by VicodinES'. The document body contains embedded text referencing 'An Excel Formula Macro Virus (XF.Classic)' and 'Hydrocodone/APAP 10-650 For Your Computer', along with code snippets like 'Add New Workbook, Infect It, Save It As .xls'. This strongly suggests the file's purpose is to infect other Excel workbooks. The presence of multiple URLs associated with the same domain indicates potential command and control or payload distribution infrastructure.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ttktthhn-dongnai.edu.vn/Du
    • http://ttktthhn-dongnai.edu.vn/Tlthg11uyen.xls
    • http://ttktthhn-dongnai.edu.vn/BAOCAOGO.XLS
    • http://ttktthhn-dongnai.edu.vn/Tlthg11.xls

Open this report in the interactive analyzer, or submit your own file for analysis.