Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c3d1ad97b1f563fc…

MALICIOUS

Office (OLE)

350.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2014-08-17
MD5: 4848e04ffdc669d7a228f5246c26106b SHA-1: 4b16db10020f08f1a7fed951435c0dcb2b001f54 SHA-256: c3d1ad97b1f563fc0e75bf91e24c23b8e77a9616756fbb7901aa0deb2952409d
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing legacy Excel 4.0 (XLM) macros, indicated by critical and medium heuristic firings. These macros are known to be used for malicious purposes, including infecting other workbooks and potentially downloading further stages. The presence of strings like 'Excel Formula Macro Virus' and 'Poppy by VicodinES' strongly suggests a malicious intent to spread and infect.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.