Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6629b03477e50877…

MALICIOUS

Office (OLE)

136.0 KB First seen: 2015-09-26
MD5: 5cc5872f3108de5d075fd0b047fb9290 SHA-1: 66cdb59185d103c80d965e7657c8e5229115bfe6 SHA-256: 6629b03477e5087794d417f255be2141bb2be1697d9faaed620e7cdde8bc2b48
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel formula macro virus marker, specifically mentioning 'Poppy by VicodinES' and 'Narkotic Network', suggesting a known malicious pattern. The medium heuristic confirms the presence of Excel 4.0 macros. The document body appears to be a construction bid or cost breakdown, which is likely a lure to disguise the malicious macro execution.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.