Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6d52cec6fb8335c6…

MALICIOUS

Office (OLE)

144.5 KB Created: 2012-09-16 01:21:27 Authoring application: Microsoft Excel First seen: 2015-09-18
MD5: 217cf1b545f0a3910ce33acc90e5ad80 SHA-1: 545d02da3627e28f0297ce22983a69838713c0e5 SHA-256: 6d52cec6fb8335c656e90eb90b6a816cb3093aa005899f145d8e95807c0901ab
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing for 'Legacy Excel formula macro virus marker' and the medium firing for 'Excel 4.0 (XLM) macro sheet present' indicate the presence of old-style Excel macros. The document body confirms this by referencing 'Classic.Poppy by VicodinES' and 'An Excel Formula Macro Virus (XF.Classic)', suggesting a self-replicating macro intended to infect other Excel files via the xlstart directory.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.