Office (OLE) / .XLS malware analysis — malicious · 69e9b0a670f34414

MALICIOUS

Office (OLE) / .XLS

412.5 KB Created: 2010-07-30 00:18:06 Authoring application: Microsoft Excel

MD5: 9b7ca3fb9604c7002077cbe9b11006e6 SHA-1: 583130aa3a55bd3210a4ee3953b1f1245d78b271 SHA-256: 69e9b0a670f34414ac2c76541c1b026321e2db3e07c347ea173efcb7f50e23c2

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel Formula Macro Virus, specifically mentioning 'Poppy by VicodinES' and 'The Narkotic Network'. The document body confirms this, referencing 'Classic.Poppy by VicodinES' and 'An Excel Formula Macro Virus (XF.Classic)'. The macro appears designed to infect other workbooks, as evidenced by the path 'C:\Program Files\Microsoft Office\OFFICE11\xlstart\Book1.' which suggests an attempt to infect the default startup workbook.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.