Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c5b6f39323947330…

MALICIOUS

Office (OLE)

313.0 KB Created: 1999-12-12 13:16:55 Authoring application: Microsoft Excel First seen: 2015-09-15
MD5: 03fd90fca49c1c4558653e85dfe4cfa0 SHA-1: c969e3103d9f2d956948924c7453f08831d475b3 SHA-256: c5b6f393239473304f5c715c4fd517a6e9cda57bf91c7a8bda309ff48f0e6cbe
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing a legacy Excel Formula Macro Virus marker, specifically identified as 'Poppy by VicodinES'. The document body contains text that mimics financial and tax forms, likely as a lure. The presence of the 'Poppy' marker and associated strings strongly suggests a known, albeit old, malware family.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.