Office (OLE) malware analysis — malicious · bf901a2d4ccf6de3

MALICIOUS

Office (OLE)

149.0 KB Created: 2012-02-09 04:02:24 Authoring application: Microsoft Excel First seen: 2015-09-26

MD5: 79f3d29af4d4542dfa83e9fd0c899f7f SHA-1: 1f12468d1ab3a6d1853206daceed963b932b2e22 SHA-256: bf901a2d4ccf6de38b743e207feda18ff7a35ebacb4907daebe318a05eac18e8

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic firing for 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium firing for 'OLE_XLM_AUTOOPEN' indicate the presence of legacy Excel 4.0 macros. The extracted document body and script excerpts reveal strings like 'Classic.Poppy by VicodinES' and 'An Excel Formula Macro Virus (XF.Classic)', suggesting the macro's purpose is to infect other workbooks and potentially download further payloads, a common tactic for older Excel malware.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.