Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9a40c39ad86fa277…

MALICIOUS

Office (OLE)

149.0 KB Created: 2012-06-06 01:30:27 Authoring application: WPS Office רҵ°æ First seen: 2016-07-20
MD5: b5f17eb9e55dbc3d7817f49b51474651 SHA-1: aba9db36fef68d089177a784f2fcf8f20a4ac1d0 SHA-256: 9a40c39ad86fa277b748bb86704a1d25f85d951f961bd4e905ae99ea46692875
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains critical heuristic firings indicating the presence of legacy Excel formula macros, specifically identified as 'Excel Formula Macro Virus', 'XF.Classic', and 'Poppy by VicodinES'. The embedded text suggests these macros are intended to infect other workbooks and potentially deliver a payload, as indicated by the string 'Hydrocodone/APAP 10-650 For Your Computer'. The presence of these legacy macro types points to an older, but still potentially dangerous, infection vector.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.