Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bb5e1deeb3842a97…

MALICIOUS

Office (OLE)

59.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-09-15
MD5: 2677640a273125eb29b69a0ab9b48320 SHA-1: 8b4f984dc8c5f99b92f2dba63d57a537713f4a15 SHA-256: bb5e1deeb3842a97f4f65931d4fa9a7ea659bc2d0b7b8cd3f2307ea4fbb1aeee
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium heuristic 'OLE_XLM_AUTOOPEN' indicate the presence of a legacy Excel 4.0 macro virus. The macro sheet contains markers and strings associated with known Excel macro viruses, including 'Classic.Poppy by VicodinES' and 'Narkotic Network'. The document body, while appearing to be a roster, contains strings like 'XL4Poppy' and file paths that suggest malicious intent. The macro likely attempts to download and execute a second-stage payload, potentially using the path 'C:\Program Files\Microsoft Office\OFFICE11\xlstart\Book1.' as a staging area.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.