XF.Classic Office (OLE) / .XLS malware analysis — malicious · 851f66471d1e3740

MALICIOUS

Office (OLE) / .XLS

245.0 KB Created: 2006-10-19 08:11:20 Authoring application: Microsoft Excel

MD5: 46657c5bc27a6e2a24ef21e8f1732aa2 SHA-1: 63b8200147c3d8cdca38b4414e08709aaff72dc3 SHA-256: 851f66471d1e3740b35d8b9a787eead912bd5d841ee980867640ca90ea98c5e8

60 Risk Score

Malware Insights

XF.Classic · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The sample is identified as a legacy Excel formula macro virus, specifically 'XF.Classic' by VicodinES, also known as 'Poppy'. The heuristic firing indicates the presence of this known malware. The document body contains text related to salary calculations and educational institutions, likely a lure. The script section explicitly mentions infecting workbooks and saving them as 'Book1.xls', and the file path 'C:\Program Files\Microsoft Office\Office10\xlstart\Book1.' is also present, indicating the malware's intent to spread.

Heuristics 1

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.

Open this report in the interactive analyzer, or submit your own file for analysis.