XF.Classic — Office (OLE) malware analysis

Static analysis result for SHA-256 9d357ffa5ae43aed…

MALICIOUS

Office (OLE)

145.5 KB Created: 2002-03-27 02:31:05 Authoring application: Microsoft Excel First seen: 2015-09-16
MD5: 33dde5ba6aa6008923edec53f40531a0 SHA-1: 64b6b1e43ad801f177fa6cf3cdd53949bcbef502 SHA-256: 9d357ffa5ae43aed6e0a34a1ad4f22f5eaabd2da6e65f4e854b92bee8416aaf4
80 Risk Score

Malware Insights

XF.Classic · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel 4.0 (XLM) macro sheet, identified by critical heuristics as the 'XF.Classic' or 'Poppy' Excel Formula Macro Virus. The embedded document body contains references to this malware, including its name and a payload description. The presence of XLM macros indicates an attempt to execute arbitrary code upon opening, likely to download and run a secondary payload.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.