Office (OLE) / .XLS malware analysis — malicious · 5c943da10fbf39ea

MALICIOUS

Office (OLE) / .XLS

1.09 MB Created: 2007-04-18 13:32:51 Authoring application: Microsoft Excel

MD5: c609a9e3e971d35d313a87c6bf8f107b SHA-1: 0826d488247d5c61764730319c4ce8888c5c80b8 SHA-256: 5c943da10fbf39ea3ee63fd5c69882f36a4a482f6b3ebf8454a48bba04dacf4e

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates a legacy Excel Formula Macro Virus marker, specifically mentioning 'Poppy by VicodinES' and 'XF.Classic'. The document body contains text referencing 'Excel Formula Macro Virus (XF.Classic)', 'Poppy by VicodinES', and 'The Narkotic Network 1998', along with instructions to 'Infect Workbook' and save it as 'Book1.xls'. This strongly suggests the file's purpose is to infect other Excel workbooks using XLM macros.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.