Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4b7135e98dc24a6a…

MALICIOUS

Office (OLE)

38.5 KB Created: 1997-01-10 04:21:27 Authoring application: Microsoft Excel First seen: 2015-05-07
MD5: 518468d27021c96ba2d9a1cf2c0df28d SHA-1: 86759c7f94ce337b63bdf2ac9144b242bb8fc903 SHA-256: 4b7135e98dc24a6ac8c15dd3a21bb9c9457a1c53a5d299d20822536ad2f84707
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as a legacy Excel formula macro virus, specifically 'Poppy by VicodinES' and 'XF.Classic'. The document body contains what appears to be an attendee list for an event, with the filename '비상연락망111.xls' (Emergency Contact List.xls) and references to 'Book1.xls' and 'xlstart\Book1'. The VBA macro, though containing no executable statements itself, is associated with the virus marker, indicating the file's malicious intent is likely embedded within its formula structure.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 607 bytes
SHA-256: b459545a48ab9211384fe423312fcab39ec030c9121b7a8cce2c7bed603bea9f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet64"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True