Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4844c6923414e3d2…

MALICIOUS

Office (OLE) / .XLS

271.5 KB Created: 2010-03-04 00:59:41 Authoring application: Microsoft Excel
MD5: be32836ce5bf6f1e28bc0c5aea0f2793 SHA-1: d095b9a5daf70f714c03d589b55a6e989b9e8886 SHA-256: 4844c6923414e3d28c789892a84b1e7fc7ea2b7e53baf52fd09e2e2428c176c5
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The sample is an Excel 4.0 macro sheet, identified by critical heuristics for legacy Excel formula macro viruses. The document body, while appearing as a student fee list, contains embedded text referencing 'Classic.Poppy by VicodinES' and 'The Narkotic Network', indicating a known malware lineage. The presence of multiple URLs suggests a potential download or redirection mechanism. The macro sheet likely executes malicious code upon opening, aiming to download and execute further payloads.

Heuristics 3

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ttktthhn-dongnai.edu.vn/Du
    • http://ttktthhn-dongnai.edu.vn/Tlthg11uyen.xls
    • http://ttktthhn-dongnai.edu.vn/BAOCAOGO.XLS
    • http://ttktthhn-dongnai.edu.vn/Tlthg11.xls

Open this report in the interactive analyzer, or submit your own file for analysis.