Office (OLE) / .XLS malware analysis — malicious · c70c4d9466693593

MALICIOUS

Office (OLE) / .XLS

52.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: f748d0e5cf85791a2ac038a54c3d461c SHA-1: eb8cd2599550f15762cd88c4a3802ceb6911e33b SHA-256: c70c4d9466693593eef6d1dd68c697ad110e39b64427a2baecdc5b7893f2532c

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The critical heuristic OLE_XLS_FORMULA_MACRO_VIRUS indicates the presence of a legacy Excel Formula Macro Virus, specifically mentioning 'Poppy by VicodinES' and 'The Narkotic Network'. The document body confirms this, referencing 'Classic.Poppy by VicodinES' and 'An Excel Formula Macro Virus (XF.Classic)', along with a drug reference 'Hydrocodone/APAP 10-650 For Your Computer'. The XLM macro sheet is designed to infect other workbooks and save them as 'Book1.xls' in the Excel startup directory, indicating a delivery mechanism for further infection.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.