Office (OLE) / .XLS malware analysis — malicious · 53ac639597a99785

MALICIOUS

Office (OLE) / .XLS

3.28 MB Created: 2000-03-07 14:04:16 Authoring application: Microsoft Excel

MD5: 3b7bb5598d132538d1d172a1f7f83a66 SHA-1: 7d831ed7df4befe9d87ae6c09be25f18b8ed5683 SHA-256: 53ac639597a99785f53fcd2e07bca9272c6d33bb57a41c7b70270759fc80e08b

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The file contains legacy Excel 4.0 (XLM) macro code, indicated by the OLE_XLM_AUTOOPEN and OLE_XLS_FORMULA_MACRO_VIRUS heuristic firings. The macro appears to be designed to infect other workbooks and save them with names like 'ÿÿÿÿÿ.xls' or 'Book1.xls' in the 'xlstart' directory. The document body content, while appearing to be a timesheet, also contains references to 'Classic.Poppy by VicodinES' and 'The Narkotic Network 1998', suggesting a known legacy macro virus.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.