Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6a46978fe99bf50a…

MALICIOUS

Office (OLE)

160.5 KB Created: 2013-08-17 04:53:02 Authoring application: Microsoft Excel First seen: 2015-09-20
MD5: 2bf2349407bf4934a830f16876065460 SHA-1: 78bca7ee7c0567a5577196e9c04f5e9dc2876023 SHA-256: 6a46978fe99bf50aded52451cd87d6a8d6df8811ef6cc53c291cd125eadd33d7
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains critical heuristics indicating the presence of a legacy Excel 4.0 macro virus, specifically identified as 'Classic.Poppy by VicodinES' and 'The Narkotic Network 1998'. The macro sheet is designed to infect other workbooks, including the 'Book1.xls' file located in the XLSTART directory, which suggests an attempt to establish persistence or spread. The document body, while appearing as financial tracking data, contains embedded strings related to the macro's origin and purpose.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.