Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9808a85beaeda816…

MALICIOUS

Office (OLE)

58.0 KB Created: 2011-10-12 07:31:50 Authoring application: Microsoft Excel First seen: 2015-09-16
MD5: 2cea9bd19b5a230bd2097b9651443a40 SHA-1: 603dee9d265aacae7822399569d43be1b9d88dd4 SHA-256: 9808a85beaeda816a805cac6085e83b857429bb450bb91dcc72a01a601520c94
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic firing for 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium firing for 'OLE_XLM_AUTOOPEN' indicate the presence of legacy Excel 4.0 macros. The document body contains strings like 'Excel Formula Macro Virus (XF.Classic)' and 'Poppy by VicodinES', suggesting the macro is designed to infect other workbooks and potentially download further malicious content. The presence of a path to 'Book1.xls' implies an attempt to establish persistence or spread.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.