Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 52a4ed0da9fce2f2…

MALICIOUS

Office (OLE) / .XLS

26.0 KB Created: 2010-05-19 03:03:55 Authoring application: Microsoft Excel
MD5: a157bdfbadcf7c0737d1bdc07b8bb3e3 SHA-1: 7eb57bf08dc90a64bf5533bf289024e7515bf220 SHA-256: 52a4ed0da9fce2f2aee952e2a74eb8111dd4f8cbc448dcd59d66fdec13d0ce48
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Service Execution T1059.001 PowerShell: PowerShell

The file is an Excel 4.0 (XLM) macro-enabled spreadsheet. Heuristics indicate the presence of an Auto_Open macro, which is a common technique for legacy macro viruses. The embedded XLM macros contain references to 'Poppy' and 'XF.Classic', suggesting it's a variant of the 'Poppy' macro virus. The macro sheet contains dangerous formula APIs like RUN, indicating it attempts to execute arbitrary commands. The document body and macro comments explicitly mention 'An Excel Formula Macro Virus (XF.Classic)' and 'The Narkotic Network 1998', further supporting the identification of a legacy macro virus.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
54a1da7beb2f8cd5da63e693202f7d79a5872d894c66e3cd955110099a772487		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 8257 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.