Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b3d0dc00b57f614e…

MALICIOUS

Office (OLE)

448.0 KB Created: 2007-10-23 19:23:34 Authoring application: Microsoft Excel First seen: 2015-09-27
MD5: 76433f708a2a593ae41db69ba8c4ae80 SHA-1: 1d0247959376ca7ca2361ad9146834a43eed25e6 SHA-256: b3d0dc00b57f614e1c5858d20354a6f4410b64403eedf1e5bd6d489d48b75e16
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a legacy Excel Formula Macro Virus, specifically 'Classic.Poppy' by 'VicodinES' and 'The Narkotic Network'. The document body contains text related to infecting other workbooks and saving them as 'Book1.xls' in specific XLSTART directories, indicating a propagation mechanism. The presence of VBA-related heuristics and the nature of the content strongly suggest a malicious intent to spread and potentially execute further malicious code.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.