Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 461f8db454e432e5…

MALICIOUS

Office (OLE)

307.5 KB Created: 1999-12-12 13:16:55 Authoring application: Microsoft Excel First seen: 2015-10-04
MD5: 7c24ec9bb41155b3cbc9fb9dbf73fa70 SHA-1: 326d5eda19db5d735d3981d5c206ef9e0881111d SHA-256: 461f8db454e432e5f45011a686a08e66d46864451334d98a77ec3838cbc7ecd4
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel document identified as a legacy Excel formula macro virus, specifically 'Poppy by VicodinES' and 'XF.Classic'. The document body contains Vietnamese financial and tax-related text, likely intended as a lure to trick users into opening the malicious macro. The presence of 'Excel Formula Macro Virus' and 'Poppy by VicodinES' strongly indicates a malicious intent to execute legacy macro code.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.