Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7cf7bb331faab791…

MALICIOUS

Office (OLE)

320.0 KB Created: 2012-07-09 05:33:03 Authoring application: Microsoft Excel First seen: 2015-09-21
MD5: 2f8e61db72e5fd9524aad6aa44c864d0 SHA-1: 7654333547f15f66f694a22ffcb00a46a109fcc7 SHA-256: 7cf7bb331faab791b396b595e86490c9629e9f8eda0c5fa3be0fff750976a0ea
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel formula macro virus marker, specifically mentioning 'Poppy by VicodinES'. The presence of XLM macro sheet further supports the execution of malicious code via Excel 4.0 macros. The document body contains what appears to be a list of names and addresses, potentially part of a social engineering lure, and the string 'XL4Poppy' which is likely related to the macro's name or function.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.