Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5cf1b238f2c5455d…

MALICIOUS

Office (OLE) / .XLS

40.5 KB Created: 2005-06-13 06:43:21 Authoring application: Microsoft Excel
MD5: 6b197d1f2857f50dc0b6c02e50836547 SHA-1: ba7a39c73b782cb760c218f481e2305a1cb3dc16 SHA-256: 5cf1b238f2c5455d252fbc9ccd958e22d673c8379b5724d3dbf4483e4b13563a
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file identified as a legacy Excel formula macro virus. The embedded VBA code and document body contain markers and strings indicative of the 'Classic.Poppy' virus, which aims to infect the 'Book1.xls' file in the Excel startup directory. This suggests an attempt to establish persistence and spread.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d1de4895b50acb512d16887793c6569c67b8e8b5e2a5c3b285eb97afd920a47e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.