XF.Classic Office (OLE) / .XLS malware analysis — malicious · c4269c311102e4eb

MALICIOUS

Office (OLE) / .XLS

2.02 MB Created: 2008-11-12 07:15:42 Authoring application: Microsoft Excel

MD5: 1cf5f9c91901449fe635f69cc2d6ce13 SHA-1: 728e2c760539bb1467508017f9fab00e02d2d998 SHA-256: c4269c311102e4ebb6bc3e1664c607926d397b5e70adefa4129c4a9536242aae

80 Risk Score

Malware Insights

XF.Classic · confidence 90%

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic OLE_XLS_FORMULA_MACRO_VIRUS indicates this is a legacy Excel Formula Macro Virus, specifically identified as 'XF.Classic' and 'Poppy by VicodinES'. The script section explicitly mentions 'An Excel Formula Macro Virus (XF.Classic)' and 'The Narkotic Network 1998', confirming its nature. The virus's intent is to infect other Excel workbooks, as indicated by the 'Add New Workbook, Infect It, Save It As Book1.xls' and 'Infect Workbook' comments.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.