Office (OLE) / .X malware analysis — malicious · 5bf306651fb20abc

MALICIOUS

Office (OLE) / .X

1.03 MB Created: 1999-06-21 01:52:40 Authoring application: Microsoft Excel

MD5: b80c40a5ba5187ab89b2a75b15e5c197 SHA-1: b96189ea21e98a6b26f63473aef9526bbb489197 SHA-256: 5bf306651fb20abc1c31df80eb20bbd7582b6e17dfb514f4fe001eefe50569f9

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel Formula Macro Virus marker, specifically mentioning 'Poppy by VicodinES' and 'Narkotic Network'. The medium heuristic confirms the presence of Excel 4.0 (XLM) macros. The document body content appears to be construction-related details, likely a lure to disguise the malicious macro's true purpose. The combination of these factors strongly suggests an attack pattern involving the execution of XLM macros.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.