Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b12c19a545950018…

MALICIOUS

Office (OLE) / .XLS

1.47 MB Created: 2009-03-17 08:31:34 Authoring application: Microsoft Excel
MD5: 4375ab0c8ee0645b748fd99434aa5429 SHA-1: 35f427461690b30a3e91445ab0659c29f1802fb0 SHA-256: b12c19a5459500185dff4597a2c08d8fa1cb367ff00ba57e2561c31f3b4a33ff
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1547.001 Registry Run Keys / Startup Folder

The sample is identified as a legacy XLM macro-virus family marker, specifically XL4Poppy and Normal_MacroVirus. The embedded XLM macros, including `WORKBOOK.HIDE`, suggest an attempt to hide the malicious activity. The heuristic firings indicate that the macro is designed to copy itself, likely for propagation. The presence of embedded URLs suggests a potential download or communication vector, though their reputation is unknown.

Heuristics 3

  • Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS
    Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
  • Excel 4.0 (XLM) Auto_Open + macro sheet high OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mail.viettel.com.vn/Documents
    • http://mail.viettel.com.vn/Setup\Tam_Backup\Book1.xls
    • http://mail.viettel.com.vn/3.6\Documents
    • http://mail.viettel.com.vn/My

Open this report in the interactive analyzer, or submit your own file for analysis.