Malicious Office (OLE) / .TMP — malware analysis report

Static analysis result for SHA-256 60dc48c4fe8b1c96…

MALICIOUS

Office (OLE) / .TMP

1.24 MB Created: 2006-05-11 06:04:55 Authoring application: Microsoft Excel
MD5: e04fb915565f82bee12ece6f04106489 SHA-1: 3947378ef95dfa34c7fbc27fa1683e1f31396807 SHA-256: 60dc48c4fe8b1c9693a7ee05a85966a9c38c015291cd7fee9f840a12b2c1c370
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic firing for 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium firing for 'OLE_XLM_AUTOOPEN' indicate the presence of legacy Excel 4.0 macros. The 'XL4Poppy' string found in the document body is likely a marker or identifier for this macro-based threat. The VBA project itself contains no executable statements, suggesting the primary malicious activity is driven by the XLM macros.

Heuristics 3

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
72ccbb24e7ba4e12e166f9671028a1584b03660e28d2a3b6324a7fd19183a79c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1806 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.