Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 8c154958013dbf02…

MALICIOUS

Office (OLE) / .XLS

1.84 MB Created: 2000-11-23 01:51:12 Authoring application: Microsoft Excel
MD5: c918f7cf0804909beae37c4645c5dec6 SHA-1: c34c0b598ed4c7ec10d6dbac2d92201567431036 SHA-256: 8c154958013dbf02168ebe7f32974f89b6380bf91543b810fea216fee25e6d89
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The critical heuristic firing 'OLE_XLS_FORMULA_MACRO_VIRUS' indicates this is a legacy Excel macro virus. The embedded text explicitly mentions 'Excel Formula Macro Virus (XF.Classic)', 'Poppy by VicodinES', and 'The Narkotic Network 1998', suggesting its origin and nature. The script details indicate it attempts to infect other workbooks by saving itself as 'Book1.xls' in the Excel startup directory, which is a common infection vector for macro viruses.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://keip.esamho.com/mail/120021101104.nsf/inbox/1FC1AC90B6329C9B49256C5300358531/$FILE/COVER.xls/pfc\althea
    • http://www.iec.ch

Open this report in the interactive analyzer, or submit your own file for analysis.