Office (OLE) malware analysis — malicious · 5973ac84d193ceea

MALICIOUS

Office (OLE)

144.5 KB Created: 2010-12-26 06:34:11 Authoring application: Microsoft Excel First seen: 2015-09-16

MD5: 343f66c5b28c53a595e1299434f3896a SHA-1: cfdb82e6d901bf2cc51d83af844ad059f1b720fc SHA-256: 5973ac84d193ceea82908db2659630793036f44b7c30024bbf8fdec93b952fe5

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic firing 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium heuristic 'OLE_XLM_AUTOOPEN' indicate the presence of a legacy Excel Formula Macro Virus. The document body contains explicit references to 'Excel Formula Macro Virus (XF.Classic)', 'Poppy by VicodinES', and 'The Narkotic Network 1998', suggesting a known malware family. The script content indicates it infects a new workbook, saves it as Book1.xls, and likely downloads a second-stage payload.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.