XF.Classic — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 bee06ebda4437416…

MALICIOUS

Office (OLE) / .XLS

426.5 KB Created: 2008-03-26 09:45:34 Authoring application: Microsoft Excel
MD5: 4613a2b8d046733d252271ea6723f463 SHA-1: ee5b6148204cd67b94ddbcd8f5af79422eb99cf1 SHA-256: bee06ebda44374169bcda806fc80b0f30f32639542c17fbea7c5b82bc7f841db
60 Risk Score

Malware Insights

XF.Classic · confidence 85%

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' directly identifies this file as a legacy Excel formula macro virus, specifically mentioning 'XF.Classic', 'Poppy by VicodinES', and 'Narkotic Network'. The embedded document body text further corroborates this by containing strings like 'Excel Formula Macro Virus' and 'Hydrocodone/APAP 10-650 For Your Computer', suggesting a malicious intent to infect and potentially deliver a harmful payload. The file also contains references to infecting other workbooks and saving them as 'Book1.xls'.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.