Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 89be08dbc54c9bd9…

MALICIOUS

Office (OLE) / .XLS

734.0 KB Created: 2010-07-31 07:04:53 Authoring application: Microsoft Excel
MD5: cd194cd807b4da4ee055329bbd213f54 SHA-1: 45beb926bb8e610c92804aa658b200812728145e SHA-256: 89be08dbc54c9bd966ca404c8fe40d206fa433cdc1daa1a7cdfd0472ce23eef4
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The critical heuristic OLE_XLS_FORMULA_MACRO_VIRUS indicates the presence of a legacy Excel formula macro virus, specifically mentioning 'Poppy by VicodinES'. The presence of the XL4Poppy sheet name further supports this. The document body, a list of students, is a common lure to disguise malicious macro content.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.