XF.Classic Office (OLE) / .XLS malware analysis — malicious · 8e494a6b02233905

MALICIOUS

Office (OLE) / .XLS

423.0 KB Created: 2010-03-18 09:10:35 Authoring application: Microsoft Excel

MD5: 24dfaf5234fa0b28b6b2f8ec513014cf SHA-1: 2cc92758b5125f20e6f2132069803859d29bd45a SHA-256: 8e494a6b02233905a2bc6cb0f8c1946d385407d3f83fa208365444ce361a8afc

80 Risk Score

Malware Insights

XF.Classic · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The file is identified as a legacy Excel Formula Macro Virus, specifically 'XF.Classic' by VicodinES, also known as 'Poppy'. The document body contains references to 'Poppy by VicodinES', 'The Narkotic Network 1998', and 'Hydrocodone/APAP 10-650 For Your Computer', indicating its nature and origin. The heuristics confirm the presence of XLM macros and legacy Excel macro virus markers, suggesting the file's primary function is to infect other Excel workbooks.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.