Office (OLE) / .XLS malware analysis — malicious · 5184a59a5804fc97

MALICIOUS

Office (OLE) / .XLS

1.34 MB Created: 2010-02-23 08:53:44 Authoring application: Microsoft Excel

MD5: e1ceb4e90e58e6b296fcc070a82d2aae SHA-1: a32850afa1f3842bf99ecf6979ae08e7ee2bbb55 SHA-256: 5184a59a5804fc973f678ca794ba8ef933d3040b8e3e623962de968a37e9c750

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.001 PowerShell

The sample is an Excel 4.0 (XLM) macro-enabled spreadsheet. The presence of 'XL4Poppy' in the document body and the critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' strongly suggest the use of legacy Excel macro techniques. While no scripts were explicitly extracted, the XLM macro sheet itself is the malicious component, likely designed to execute commands or download further payloads upon opening. The document content appears to be a business-related agreement, a common lure for macro-enabled documents.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.