Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c43be076e488fcbe…

MALICIOUS

Office (OLE)

348.5 KB Created: 2011-03-27 06:48:58 Authoring application: Microsoft Excel First seen: 2012-10-03
MD5: 71be44b4bd943790007897a66c5ae94c SHA-1: ac7c0032db850b61cef9b52405f0837cec9f5cdd SHA-256: c43be076e488fcbe925bb0b0488a46c45f64853c76d47231236ae723d9fe97b1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a legacy Excel formula macro virus, specifically 'Classic.Poppy by VicodinES' and 'XF.Classic' from 'The Narkotic Network'. The embedded document body contains strings indicating its function to infect new workbooks and save them as 'Book1.xls' in the 'xlstart' directory, suggesting a persistence mechanism. The heuristic firing directly confirms the presence of an Excel Formula Macro Virus.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.