MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical heuristic firing indicates the presence of a legacy Excel Formula Macro Virus, specifically mentioning 'Excel Formula Macro Virus', 'XF.Classic', 'Poppy by VicodinES', and 'The Narkotic Network'. The DOC BODY confirms this by containing strings like 'An Excel Formula Macro Virus (XF.Classic)' and 'The Narkotic Network 1998', along with instructions to 'Infect Workbook' and save it as 'Book1.xls'. This suggests the macro's primary function is to infect other Excel files, likely as a precursor to delivering a malicious payload, and the document itself is disguised as an ATM log.
Heuristics 2
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Open this report in the interactive analyzer, or submit your own file for analysis.