Office (OLE) / .XLS malware analysis — malicious · 79563f630303a434

MALICIOUS

Office (OLE) / .XLS

3.95 MB Created: 2007-06-12 08:08:56 Authoring application: Microsoft Excel

MD5: 56f9c45524f9f05ba4e9e40a455e68c7 SHA-1: f6f9c4f0215476cbdcbac71c9acba2b9b1b05102 SHA-256: 79563f630303a434256c732f6c2b3cb8cc6d0a8ccf57e71377134ff78fcafd4d

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel spreadsheet containing legacy Excel 4.0 macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLS_FORMULA_MACRO_VIRUS heuristics. The document body contains text referencing 'Excel Formula Macro Virus (XF.Classic)' and 'Poppy by VicodinES', suggesting a known malware family. The macros are designed to infect other workbooks and potentially download further payloads, as evidenced by the 'Simple Payload' and 'Add New Workbook, Infect It, Save It As Book1.xls' sections.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.