Office (OLE) malware analysis — malicious · 53dfbd9c37cc0b40

MALICIOUS

Office (OLE)

2.05 MB Created: 2009-10-02 08:02:18 Authoring application: Microsoft Excel

MD5: bf634d63dbf67bc9d1a65fc44c75c4fc SHA-1: dce77920f68efc59f3d38e4937df71620589ec78 SHA-256: 53dfbd9c37cc0b400e18162ecdd840d9d556902438fe21ca0d55da1588f589b6

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The file contains legacy Excel 4.0 (XLM) macro sheet markers and a critical heuristic firing for a legacy Excel formula macro virus, identified as 'Poppy by VicodinES' and associated with 'The Narkotic Network'. The document body, disguised as a price quotation request, contains embedded text referencing the virus name and its payload, indicating it's designed to execute malicious code upon opening. The script section explicitly mentions 'Add New Workbook, Infect It, Save It As' and 'Infect Workbook', confirming its role as a macro-based dropper.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.