Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7ae4a6e1b1de2f0c…

MALICIOUS

Office (OLE)

158.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2014-10-13
MD5: 573e1992409be92b619aac1c0edb3012 SHA-1: 4da3b39f01f4147b74027788ea2becf4087a0e5f SHA-256: 7ae4a6e1b1de2f0cfd9728bcc50b7417d5f0373ad98915c5da70ed214ecfb8f7
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium heuristic 'OLE_XLM_AUTOOPEN' indicate the presence of legacy Excel 4.0 macros. The document body contains strings like 'Classic.Poppy by VicodinES', 'The Narkotic Network 1998', and 'Book1.xls', which are likely related to the macro's functionality or payload. These macros are known to be used for executing arbitrary code, often to download and run further malicious content.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.