Office (OLE) / .XLS malware analysis — malicious · 54082432e5e94961

MALICIOUS

Office (OLE) / .XLS

284.0 KB Created: 2010-03-04 02:24:25

MD5: c2c8330475ecbfe5584c1aa0801d5ebf SHA-1: 891c70a0221669922633e9cca869c586778c670a SHA-256: 54082432e5e94961fa073e88aa16c3d49ed8948eb4c7995aa8eeb48dbdc07575

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Service Execution: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell

The file contains legacy Excel 4.0 (XLM) macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLS_FORMULA_MACRO_VIRUS heuristic firings. These macros are known to be used for initial execution of malicious code. The specific markers like 'Poppy by VicodinES' and 'Narkotic Network' suggest a connection to older malware families, but without further script content, the exact payload and delivery mechanism remain unclear. The document body content appears to be construction-related financial data, likely a lure.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.