Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 61c6588f85168a0e…

MALICIOUS

Office (OLE)

2.33 MB Created: 2008-07-09 21:01:09 Authoring application: Microsoft Excel
MD5: 4ce316ab3755397264286f319f36152d SHA-1: e3e3159b443bbc7aee6d9b404fa2001149339b9c SHA-256: 61c6588f85168a0e1aa208abcdf2f0c1c939d0c9329625da1bc2ea98962e9ade
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel spreadsheet containing legacy Excel 4.0 (XLM) macros, identified by critical and medium heuristic firings. These macros are known to be used for malicious purposes, including the execution of second-stage payloads. The presence of markers like 'XF.Classic', 'Poppy by VicodinES', and 'Narkotic Network' strongly suggests a known macro-based malware family, though a specific family could not be definitively identified.

Heuristics 3

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9935b21f2c3fc3ddcc8f896564113faf09fde0f803ab9b01d0cef0ded5f2a61b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6205 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.