Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7c201844412bc7ea…

MALICIOUS

Office (OLE)

180.5 KB Created: 2014-05-14 09:11:14 Authoring application: Microsoft Excel First seen: 2015-09-18
MD5: 287e529d90db99bb7df55779dc7dc330 SHA-1: 77123d567ccc4a61d74db63e164a9f0b3fde2ee0 SHA-256: 7c201844412bc7ea0e618210b20f007a1557bc1eac4fe78b29889c5689ff7173
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing for 'Legacy Excel formula macro virus marker' and the medium firing for 'Excel 4.0 (XLM) macro sheet present' strongly indicate the presence of a classic Excel macro virus. The extracted text mentions 'Excel Formula Macro Virus (XF.Classic)' and 'Poppy by VicodinES', which are indicators of this type of threat. The document body, while appearing to be academic course data, is likely a lure to disguise the malicious macro execution.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.