Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a4e36455964894e2…

MALICIOUS

Office (OLE)

69.5 KB Created: 2003-12-31 08:46:19 Authoring application: Microsoft Excel First seen: 2015-10-03
MD5: ca34670dc51a27b63ef6d83773af23c0 SHA-1: f774331a9abd66c8ea706b191d5cd57ab1640196 SHA-256: a4e36455964894e245301c4d26f14b14377411a1268832eb54e9fd08bbca5bf0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file identified as a legacy Excel formula macro virus, specifically 'Poppy by VicodinES' and 'XF.Classic' from 'The Narkotic Network'. The document body contains what appears to be financial or project reporting data, likely intended to trick the user into opening and interacting with the malicious content. The presence of VBA macro markers and the specific naming conventions strongly indicate a macro-based attack.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.