MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1547.001 Registry Run Keys / Startup Folder
The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium heuristic 'OLE_XLM_AUTOOPEN' indicate the presence of legacy Excel macros. The 'DOC BODY' contains strings like 'Add New Workbook, Infect It, Save It As Book1.xls' and paths such as 'C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\xlstart\Book1.' and 'C:\Documents and Settings\SD7\Application Data\Microsoft\Excel\XLSTART\Book1.', suggesting the macro's intent is to infect other Excel files and potentially establish persistence by placing copies in XLSTART folders. The specific markers like 'Poppy by VicodinES' and 'Narkotic Network' are also indicative of older macro malware.
Heuristics 2
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Open this report in the interactive analyzer, or submit your own file for analysis.