Office (OLE) malware analysis — malicious · c36f9e002eefda16

MALICIOUS

Office (OLE)

225.5 KB Created: 2013-03-20 00:12:24 Authoring application: Microsoft Excel First seen: 2015-09-15

MD5: 0f3c41ad43e79ea20f84a9aebe55a060 SHA-1: 290a54167c47cfedfce10c65b565b4190cf55dcd SHA-256: c36f9e002eefda16eba844fabdf48dab56d7ed8d0ff22c0663b1ca4aaf1f961e

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel formula macro virus marker, specifically mentioning 'Poppy by VicodinES' and 'Narkotic Network'. The medium heuristic confirms the presence of Excel 4.0 (XLM) macros. The document body appears to be a list of business contacts and product names, likely a lure or distraction, and does not directly indicate the macro's function. The primary threat stems from the detected macro virus markers.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.