Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8884c5a8f22978b2…

MALICIOUS

Office (OLE)

261.0 KB Created: 2013-05-24 02:20:12 Authoring application: Microsoft Excel First seen: 2015-09-30
MD5: a4f61b959b864730d6c095f4ddde9de0 SHA-1: 3470fd403a1223cb39b0e6149af06c318f67b5e1 SHA-256: 8884c5a8f22978b25f3a5f85a18e8e861cb3a7336d9bc23d026e8ee90b9e898d
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing for 'Legacy Excel formula macro virus marker' and the medium firing for 'Excel 4.0 (XLM) macro sheet present' indicate the presence of malicious Excel 4.0 macros. The presence of 'XL4Poppy' in the document body suggests this macro is related to the Poppy malware. The macros are likely used to execute arbitrary code or download further payloads.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.