Malicious Office (OLE) / .XL — malware analysis report

Static analysis result for SHA-256 5947f72ca7ca1c2d…

MALICIOUS

Office (OLE) / .XL

344.5 KB Created: 2005-03-22 03:49:53 Authoring application: Microsoft Excel
MD5: dc2b5922cb23105036fdb49479e8c12d SHA-1: 19ab74cc2b2097613f2722f71e6c427724d6af92 SHA-256: 5947f72ca7ca1c2d4136e55b468ba9970aaff41a1664f7b76debb003a611c7ff
268 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell T1566.001 Spearphishing Attachment

The file contains legacy Excel 4.0 macros, including an Auto_Open entry, which is a known technique for executing malicious code. The document body and sheet names suggest a lure related to supplier requests, likely to trick users into enabling macros. The presence of 'XL4Poppy' in the sheet names and the 'Poppy by VicodinES' marker in the heuristics strongly suggest this is a variant of the Poppy malware. No specific download URLs or further execution details were extracted from the provided scripts.

Heuristics 7

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
bc91762f1ba354aa0dbf20c36d7f87102b2e6d93bc04207069eddab55740d9a6		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 54353 bytes
macros.bas
b0b45c6ab211e608d8a8e3a72643f1611e2e47bb85bb015fc9c34ba6b427ef2c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2294 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.