MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1566.001 Spearphishing Attachment
The file is an Excel 4.0 macro-enabled workbook. Heuristics indicate the presence of obfuscated XLM macro chains and a legacy Excel formula macro virus marker, specifically mentioning 'XF.Classic' and 'Poppy by VicodinES'. The macro sheet appears to be designed to infect other workbooks, as indicated by the 'Add New Workbook, Infect It, Save It As Book1.xls' comment and the presence of 'Book1.' in the file path. The macro's intent is to spread and potentially execute further payloads, though the exact mechanism is obscured.
Heuristics 3
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
Obfuscated XLM defined-name macro chain high OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAINExcel 4.0 macro sheet uses many random-looking defined-name references, state-changing formulas, and control-transfer formulas while carrying embedded OOXML ZIP content in the workbook stream. This is a malicious XLM macro pattern rather than a document-parser CVE.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt884b534518219f0e1eacd71781fe27e33a0481b0e32213a40afdc6bf4bf7622b |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 58349 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.