Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ba85c7e835702134…

MALICIOUS

Office (OLE)

100.5 KB Created: 1996-01-02 05:38:42 Authoring application: Microsoft Excel First seen: 2015-09-20
MD5: 19d3efedf2a1e8758029174700e0fac0 SHA-1: 95c387b0c729d02dcbdcec82d50abadf58e99562 SHA-256: ba85c7e8357021341b1458150c274490aabf1ed061defe076d69639a37459bcb
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a legacy Excel formula macro virus, specifically 'Poppy by VicodinES' and 'XF.Classic', which are known indicators of older malware. The embedded text and script markers suggest an intent to infect other workbooks and potentially deliver a secondary payload, as indicated by phrases like 'Simple Payload' and 'Add New Workbook, Infect It, Save It As Book1.xls'. The presence of VBA macro indicators and the specific markers strongly suggest the use of Visual Basic for macro execution.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.