Office (OLE) / .XLS malware analysis — malicious · 4c65e52470ba1a0e

MALICIOUS

Office (OLE) / .XLS

1.06 MB Created: 2005-09-12 03:35:27 Authoring application: Microsoft Excel

MD5: 7152bd7bf56302a45b3c12e4c42111d9 SHA-1: eeb5435bbcc0dfe8bc9085d1e2cf7fb1bb4a6fdd SHA-256: 4c65e52470ba1a0e73fd0efc3a8072e1e547f1dbe5247daad5ddd20e8563734d

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The file is an Excel 97-2003 worksheet identified as a legacy macro virus. The embedded VBA macros, though not containing executable statements directly, are associated with the 'Poppy by VicodinES' and 'XF.Classic' markers, indicating a known macro virus. The document body contains strings related to infection and payload delivery, such as 'Add New Workbook, Infect It, Save It As Book1.xls' and 'Infect Workbook'. The presence of 'Book1.xls' and its path suggests an attempt to infect the default Excel startup template.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0f55afcc609c9a13e8fbae80c9a65ca1f2d63894a5032dee4d08ffc3bfa35379`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.