XF.Classic Office (OLE) malware analysis — malicious · 76952c7e6376c800

MALICIOUS

Office (OLE)

215.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-09-24

MD5: 62f461297dc4f7d58792a71121e616e0 SHA-1: 0a5e4b1212913b34a40f1d2dc9ea1f62ffbe5b17 SHA-256: 76952c7e6376c80025c13b0a44d47f2d00e2b73c2b70b32d17bb66ec6e481958

80 Risk Score

Malware Insights

XF.Classic · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates this is a legacy Excel formula macro virus, specifically identified as 'XF.Classic' by 'The Narkotic Network'. The macro sheet contains code that infects other workbooks, saving them as 'Book1.xls' in the XLSTART directory, which suggests an attempt to establish persistence or spread.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.