Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a09753615f57c5a7…

MALICIOUS

Office (OLE)

175.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-09-22
MD5: 00675d78c4283f0f70ea5c4a87297c70 SHA-1: 035c2f9fb4d89366796ed0686f2e440ae98f7bf5 SHA-256: a09753615f57c5a7b90ffe23b7a2093b800fdad4fa177a4d06da984f6447f147
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel Formula Macro Virus marker, specifically mentioning 'Excel Formula Macro Virus', 'XF.Classic', 'Poppy by VicodinES', and 'The Narkotic Network 1998'. The document body contains text referencing these markers and describes actions like infecting other workbooks, suggesting a macro-based infection and potential payload delivery mechanism. The XLM macro presence points to T1059.005.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.