Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 68baae8f95d34518…

MALICIOUS

Office (OLE)

45.5 KB Created: 2013-06-27 03:49:19 Authoring application: WPS Office ¸öÈ˰æ First seen: 2014-07-06
MD5: 08ecd79d3e7ce4b3de35f4df0d4ca60f SHA-1: 36a85d3f675ef280a74e01d3b02eb589b5abd95b SHA-256: 68baae8f95d3451859789537b183743d19e7601c3c66832d3394b2557dbaa84d
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates a legacy Excel Formula Macro Virus (Poppy by VicodinES). The document body contains text referencing 'XL4Poppy' and 'Classic.Poppy by VicodinES', along with a path that suggests an attempt to infect or modify 'Book1.xls' within the Office startup directory. This indicates the macro's intent is to spread and likely execute further malicious actions.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.