Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 505e9e2661e37424…

MALICIOUS

Office (OLE) / .XLS

426.5 KB Created: 2008-03-26 09:45:34 Authoring application: Microsoft Excel
MD5: af2cc25c42dd28de8747370dc80b037b SHA-1: f494aed686e3f0a5c97da50891e482dbc335621d SHA-256: 505e9e2661e374243708ac41ab3948d231a1dd54a980922e7fb39f156247efe9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' indicates this is a legacy Excel Formula Macro Virus, specifically mentioning 'Classic.Poppy by VicodinES', 'XF.Classic', and 'The Narkotic Network 1998'. The document body confirms this, referencing 'An Excel Formula Macro Virus (XF.Classic)' and 'The Narkotic Network 1998', along with a payload description 'Hydrocodone/APAP 10-650 For Your Computer'. The virus appears designed to infect other workbooks and save them as 'Book1.xls'.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.