Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 44b93fd47b9670a7…

MALICIOUS

Office (OLE)

35.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-09-20
MD5: 448bde6c5218cea367d1d5cd131d2210 SHA-1: f0c32550310d527b193caf0a22058b48d9fca0b8 SHA-256: 44b93fd47b9670a732664a748eb4423d82f61dc7bc962cf490a6f3e33a5b5ba6
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains critical heuristic firings indicating it is a legacy Excel 4.0 (XLM) macro virus, specifically identified as 'Classic.Poppy by VicodinES' and 'Poppy by VicodinES'. The document body confirms this, referencing 'Excel Formula Macro Virus (XF.Classic)' and detailing its self-propagation mechanism by infecting and saving other workbooks as 'Book1.xls' in the Excel startup directory.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.