Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a3dff898de0713eb…

MALICIOUS

Office (OLE)

149.5 KB Created: 2014-02-09 02:37:53 Authoring application: Microsoft Excel First seen: 2015-09-14
MD5: 00349ce60c0ae5eddb28339f1af00b90 SHA-1: 51107383893706a7ca54c65f099f258c9581915d SHA-256: a3dff898de0713ebf29bb79c10be7607bb6cfb30c2346ae9a59d138a8427bee6
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic firing indicates the presence of a legacy Excel Formula Macro Virus, specifically mentioning 'Excel Formula Macro Virus', 'XF.Classic', 'Poppy by VicodinES', and 'The Narkotic Network'. The DOC BODY confirms this by containing strings like 'An Excel Formula Macro Virus (XF.Classic)' and 'The Narkotic Network 1998', along with instructions to 'Infect Workbook' and save it as 'Book1.xls'. This suggests the macro's primary function is to infect other Excel files, likely as a precursor to delivering a malicious payload, and the document itself is disguised as an ATM log.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.